Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Invalid
-
2.4.4
-
None
-
None
-
Windows 10 Pro 1809
OS Build: 17763.973
gpg (GnuPG) 2.2.19 libgcrypt 1.8.5
Description
I downloaded the signatures files from the Apache Spark download page:
- spark-2.4.4-bin-hadoop2.7.tgz.asc
- spark-2.4.4-bin-hadoop2.7.tgz.sha512
- KEYS
I ran the following commands:
gpg --import KEYS
gpg --verify spark-2.4.4-bin-hadoop2.7.tgz.asc spark-2.4.4-bin-hadoop2.7.tgz.sha512
For the KEYS command, I got:
gpg: key 7B165D2A15E06093: "Andrew Or <andrewor14@gmail.com>" not changed gpg: key 6B32946082667DC1: "Xiangrui Meng (CODE SIGNING KEY) <meng@apache.org>" not changed gpg: key B1A91F0000799F7E: "Patrick Wendell <pwendell@gmail.com>" not changed gpg: key 7C6C105FFC8ED089: "Patrick Wendell <pwendell@gmail.com>" not changed gpg: key 5D951CFF87FD1A97: "Tathagata Das (CODE SIGNING KEY) <tdas@apache.org>" not changed gpg: key 548F5FEE9E4FE3AF: "Patrick Wendell <pwendell@gmail.com>" not changed gpg: key A70A1B29E90ADC5D: 1 signature not checked due to a missing key gpg: key A70A1B29E90ADC5D: "Holden Karau (CODE SIGNING KEY) <holden@apache.org>" not changed gpg: key B6C8B66085040118: "Felix Cheung (CODE SIGNING KEY) <felixcheung@apache.org>" not changed gpg: key DCE4BFD807461E96: "Sameer Agarwal (CODE SIGNING KEY) <sameerag@apache.org>" not changed gpg: key FD8FFD4C3A0D5564: 3 signatures not checked due to missing keys gpg: key FD8FFD4C3A0D5564: "Marcelo M. Vanzin <vanzin@apache.org>" not changed gpg: key DE4FBCCD81E6C76A: "Thomas Graves (CODE SIGNING KEY) <tgraves@apache.org>" not changed gpg: key DB0B21A012973FD0: "Saisai Shao (CODE SIGNING KEY) <jshao@apache.org>" not changed gpg: key 6BAC72894F4FDC8A: "Wenchen Fan (CODE SIGNING KEY) <wenchen@apache.org>" not changed gpg: key EDA00CE834F0FC5C: "Dongjoon Hyun (CODE SIGNING KEY) <dongjoon@apache.org>" not changed gpg: key 6EC5F1052DF08FF4: "Takeshi Yamamuro (CODE SIGNING KEY) <yamamuro@apache.org>" not changed gpg: key 42E5B25A8F7A82C1: "DB Tsai <dbtsai@dbtsai.com>" not changed gpg: key 96F72F76830C0D1B: "Xiao Li (CODE SIGNING KEY) <lixiao@apache.org>" not changed gpg: key E49A046C7F0FEF75: "Kazuaki Ishizaki (CODE SIGNING KEY) <kiszk@apache.org>" not changed gpg: key E1B7E0F25E4BF56B: "Xingbo Jiang (CODE SIGNING KEY) <jiangxb1987@apache.org>" not changed gpg: key 6E1B4122F6A3A338: "Yuming Wang <yumwang@apache.org>" not changed gpg: Total number processed: 20 gpg: unchanged: 20
For the verification, I got:
gpg: Signature made 08/27/19 22:30:32 GMT Daylight Time gpg: using RSA key EDA00CE834F0FC5C gpg: BAD signature from "Dongjoon Hyun (CODE SIGNING KEY) <dongjoon@apache.org>" [unknown]
I have two questions:
- why did this happen? I downloaded and installed Spark from one mirror and then the other, and still got the error. Also, the three files are the same in either case, so how does it tell which signature works?
- I assume that when you get a bad signature error, that you should reinstall from another mirror. Is this true?
- What is the signature verification doing?