[MDEV-26358] Source release of 10.4.21 signed by wrong GPG key Created: 2021-08-13 Updated: 2021-09-24 Resolved: 2021-09-24 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Packaging |
| Affects Version/s: | 10.4.21 |
| Fix Version/s: | N/A |
| Type: | Bug | Priority: | Major |
| Reporter: | Toni | Assignee: | Unassigned |
| Resolution: | Incomplete | Votes: | 0 |
| Labels: | need_feedback | ||
| Description |
|
I need to download and compile MariaDB 10.4.21. From this page: https://downloads.mariadb.org/mariadb/10.4.21/ I downlaod the source code and the checksum information, and try to verify the integrity with gpg. This tells me that I need to download this key: 0x199369E5404BD5FC7D2FE43BCBCB082A1BB943DB . But this key has no user ID, so verification fails. Somewhere on your site I read that this key is being retired, anyway, and that all files should be signed by a different key. Please re-sign the file(s) with the new key and publish the associated information. Thank you! |
| Comments |
| Comment by Daniel Bartholomew [ 2021-08-16 ] |
|
Not sure where you read that the 0xcbcb082a1bb943db key is being retired. It is the key we have used for many years for signing the source tarballs and our MariaDB yum/dnf/zypper repositories. We do use a different key for our Ubuntu and Debian repositories. More details on our GPG keys can be found at: https://mariadb.com/kb/en/gpg/ The 0xcbcb082a1bb943db key should be widely available in gpg from various keyservers, assuming the keyserver in question is syncing with other keyservers. Here are some examples I just searched:
|