On 3/11/19 8:36 AM, [email protected] wrote: > Hello, > > It appears the keys listed here are outdated. > https://www.apache.org/dist/cassandra/KEYS > > Trying to install Casandra 311x on Ubuntu 18.0.4. The recommendation is to > use the keys from the link above however, the one of them is revoked. Others > on this page are in the same state as well. Can someone from the dev group > clean this up? It's a little unsettling when the official documentation - > http://cassandra.apache.org/download/ gives instructions to download revoked > keys. > > apt-key list > > -------------------- > pub rsa4096 2014-06-16 [SCEA] [revoked: 2016-08-16] > 7B0A 593A 9795 A964 AD57 D255 D46C 5ECB FE4B 2BDA > uid [ revoked] Michael Shuler <[email protected]> > > pub rsa4096 2009-07-15 [SC] > A26E 528B 271F 19B9 E5D8 E19E A278 B781 FE4B 2BDA > uid [ unknown] Michael Shuler <[email protected]> > uid [ unknown] Michael Shuler <[email protected]> > sub rsa4096 2009-07-15 [E]
These are not the same keys. It looks like you possibly did a short-key
import (FE4B2BDA), as well as the long-key import, as the download
instructions indicate. Here's my valid key:
mshuler@hana:~$ gpg --list-secret-key --fingerprint FE4B2BDA
gpg: please do a --check-trustdb
sec rsa4096 2009-07-15 [SC]
A26E 528B 271F 19B9 E5D8 E19E A278 B781 FE4B 2BDA
uid [ unknown] Michael Shuler <[email protected]>
uid [ unknown] Michael Shuler <[email protected]>
ssb rsa4096 2009-07-15 [E]
In 2016, someone took a list of the strong key set and uploaded keys
with faked short-key identifiers matching those of existing keys. It's a
joe job to identify the weakness of using short key identifiers. There
are thousands of these fake keys, and they've been revoked.
https://www.zdnet.com/article/pgp-security-weakness-exposed/
Drop that bogus key from apt-keys:
apt-key del D46C5ECBFE4B2BDA
This message is signed with the correct key.
--
Kind regards,
Michael
signature.asc
Description: OpenPGP digital signature
