infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "DB Tsai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-18018) Failed to validate the pgp signature of .... check the logs.
Date Tue, 19 Mar 2019 22:17:00 GMT

    [ https://issues.apache.org/jira/browse/INFRA-18018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16796576#comment-16796576
] 

DB Tsai commented on INFRA-18018:
---------------------------------

Thanks. The issue looks clearer now. It's a new RSA4096 key I generated. I was using ECDSA
key before, and I realized ECDSA key is not supported in Nexus, so I generated a new RSA4096
key. Then, I signed the new RSA key with my old ECDSA key. I guess Nexus is trying to validate
the whole chain of the signing resulting issue. 

I think it worths to fix it our Nexus server since anyone can sign other people's key and
upload to keyserver as part of the trust chain. Thus, without fix, potentially, if someone
signs other committer's key with ECDSA and uploads to keyserver, it will create problems.


Let me try to stage the jars again. Thank you very much, [~cml] and [~brianf] 

> Failed to validate the pgp signature of .... check the logs.
> ------------------------------------------------------------
>
>                 Key: INFRA-18018
>                 URL: https://issues.apache.org/jira/browse/INFRA-18018
>             Project: Infrastructure
>          Issue Type: Improvement
>          Components: Nexus
>            Reporter: DB Tsai
>            Assignee: Chris Lambertus
>            Priority: Major
>
> I am trying to create a new release of Spark 2.4.1, and I often run into "Failed to validate
the pgp signature" when I upload the artifacts to Nexus. It's intermittent, and doesn't happen
every time, but it happens very often that I need to rebuild the release many times to get
one successful upload. My key is in key server  42E5B25A8F7A82C1. Can any admin check the
log on Nexus side, and see what's going on? 
> BTW, I downloaded the jars and asc; I manually checked the signature locally, and they
all looked good. See orgapachespark-1313
> Thanks.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message