[jira] [Created] (FLINK-16424) Can't verify PGP signatures of Flink 1.9.2 and 1.10.0

Bob created FLINK-16424:
---------------------------

             Summary: Can't verify PGP signatures of Flink 1.9.2 and 1.10.0
                 Key: FLINK-16424
                 URL: https://issues.apache.org/jira/browse/FLINK-16424
             Project: Flink
          Issue Type: Improvement
            Reporter: Bob


I tried to follow the steps on the download page [https://flink.apache.org/downloads.html] and [http://www.apache.org/info/verification.html] but i am unable to verify the Flink packages with the help of the PGP signatures of Flink 1.9.2 and 1.10.0.

Steps to reproduce:
 # Download Flink via a mirror [https://www.apache.org/dyn/closer.lua/flink/flink-1.10.0/flink-1.10.0-bin-scala_2.12.tgz]
 # Download PGP signature file [https://www.apache.org/dist/flink/flink-1.10.0/flink-1.10.0-bin-scala_2.12.tgz.asc]
 # Download release-signing keys file [https://www.apache.org/dist/flink/KEYS]

{code:java}
# gpg --import KEYS
gpg: key 04D9B832: "Alan Gates (No comment) <[hidden email]>" not changed
gpg: key 0CBAAE9F: "Sean Owen (CODE SIGNING KEY) <[hidden email]>" not changed
gpg: key 0410DA0C: "Ted Dunning (for signing Apache releases) <[hidden email]>" not changed
gpg: key 3592721E: "Henry Saputra (CODE SIGNING KEY) <[hidden email]>" not changed
gpg: key 3D0C92B9: "Owen O'Malley (Code signing) <[hidden email]>" not changed
gpg: key D9839159: "Robert Metzger (CODE SIGNING KEY) <[hidden email]>" not changed
gpg: key 9D403309: "Ufuk Celebi (CODE SIGNING KEY) <[hidden email]>" not changed
gpg: key D675A2E9: "Márton Balassi (CODE SIGNING KEY) <[hidden email]>" not changed
gpg: key C2909CBF: "Maximilian Michels <[hidden email]>" not changed
gpg: key 34911D5A: "Fabian Hueske (CODE SIGNING KEY) <[hidden email]>" not changed
gpg: key B065B356: "Tzu-Li Tai (CODE SIGNING KEY) <[hidden email]>" not changed
gpg: key 121D7293: "Aljoscha Krettek (CODE SIGNING KEY) <[hidden email]>" not changed
gpg: key 11D464BA: "Chesnay Schepler (CODE SIGNING KEY) <[hidden email]>" not changed
gpg: key 35C33D6A: "Tzu-Li Tai (CODE SIGNING KEY) <[hidden email]>" not changed
gpg: key A96CFFD5: "Till Rohrmann (stsffap) <[hidden email]>" not changed
gpg: key D920A98C: "Thomas Weise <[hidden email]>" not changed
gpg: key 3B79EA0E: "jincheng Sun (jincheng) <[hidden email]>" not changed
gpg: key F7059BA4: "Kurt Young <[hidden email]>" not changed
gpg: key EFAE3202: "Jark Wu (CODE SIGNING KEY) <[hidden email]>" not changed
gpg: Total number processed: 19
gpg:              unchanged: 19
{code}
{code:java}
# gpg --verify flink-1.10.0-bin-scala_2.12.tgz.asc flink-1.10.0-bin-scala_2.12.tgz
gpg: Signature made Fri 07 Feb 2020 07:36:24 PM CET using RSA key ID 89C115E8
gpg: Can't check signature: No public key
{code}
{code:java}
# gpg --keyserver pgpkeys.mit.edu --recv-key 89C115E8
gpg: requesting key 89C115E8 from hkp server pgpkeys.mit.edu
gpgkeys: key 89C115E8 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
{code}
{code:java}
# gpg --verify flink-1.9.2-bin-scala_2.12.tgz.asc2 flink-1.9.2-bin-scala_2.12.tgz
gpg: Signature made Fri 24 Jan 2020 06:08:33 AM CET using RSA key ID 57B6476C
gpg: Can't check signature: No public key
{code}
{code:java}
# gpg --keyserver pgpkeys.mit.edu --recv-key 57B6476C
gpg: requesting key 57B6476C from hkp server pgpkeys.mit.edu
gpgkeys: key 57B6476C not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
{code}
Could someone check if a key is missing in the release-signing keys file? Or something else is wrong? e.g. for Flink 1.9.1 these steps seem to be fine.


{code:java}
gpg --verify flink-1.9.1-bin-scala_2.12.tgz.asc flink-1.9.1-bin-scala_2.12.tgz
gpg: Signature made Mon 30 Sep 2019 08:57:32 AM CEST using RSA key ID EFAE3202
gpg: Good signature from "Jark Wu (CODE SIGNING KEY) <[hidden email]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E2C4 5417 BED5 C104 154F  3410 85BA CB5A EFAE 3202
 {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)