[Bug 7765] New: Mail-SpamAssassin-rules-3.4.2.r1840640.tgz does not validate

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 7765] New: Mail-SpamAssassin-rules-3.4.2.r1840640.tgz does not validate

bugzilla-daemon-2
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7765

            Bug ID: 7765
           Summary: Mail-SpamAssassin-rules-3.4.2.r1840640.tgz does not
                    validate
           Product: Spamassassin
           Version: 3.4.2
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Building & Packaging
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: Undefined

This archive seems to be signed with an unknown key (RSA key 6C55397824F434CE).
The key in the https://www.apache.org/dist/spamassassin/KEYS is RSA key
FDE52F40F7D39814.

--
You are receiving this mail because:
You are the assignee for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug 7765] Mail-SpamAssassin-rules-3.4.2.r1840640.tgz does not validate

bugzilla-daemon-2
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7765

Arjen de Korte <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug 7765] Mail-SpamAssassin-rules-3.4.2.r1840640.tgz does not validate

bugzilla-daemon-2
In reply to this post by bugzilla-daemon-2
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7765

Kevin A. McGrail <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED
                 CC|                            |[hidden email]

--- Comment #1 from Kevin A. McGrail <[hidden email]> ---
That is a rule file.  In the sa-update man page you will see it documented:

 --gpgkey
           sa-update has the concept of "release trusted" GPG keys.  When an
archive is downloaded and the signature
           verified, sa-update requires that the signature be from one of these
"release trusted" keys or else verifi[36;1H:
           cation fails.  This prevents third parties from manipulating the
files on a mirror, for instance, and sign[36;1H:
           ing with their own key.

           By default, sa-update trusts key ids "24F434CE" and "5244EC45",
which are the standard SpamAssassin release
           key and its sub-key.  Use this option to trust additional keys.  See
the --import option for how to add
           keys to sa-update's keyring.  For sa-update to use a key it must be
in sa-update's keyring and trusted.

           For multiple keys, use the option multiple times.  i.e.:

                   sa-update --gpgkey E580B363 --gpgkey 298BC7D0

           Note: use of this option automatically enables GPG verification.

--
You are receiving this mail because:
You are the assignee for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug 7765] Mail-SpamAssassin-rules-3.4.2.r1840640.tgz does not validate

bugzilla-daemon-2
In reply to this post by bugzilla-daemon-2
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7765

--- Comment #2 from Arjen de Korte <[hidden email]> ---
The reason for submitting this bug, was the following text on
https://spamassassin.apache.org/downloads.cgi?update=201809160000

"GPG Signing Key
If you want to use GPG to verify the downloads listed above, please use the
SpamAssassin Release GPG Keys to verify them."

The rules file is one of the files mentioned above and is listed with a GPG
signature. It is mentioned nowhere on this page that verifying this archive
requires a different key.

--
You are receiving this mail because:
You are the assignee for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug 7765] Mail-SpamAssassin-rules-3.4.2.r1840640.tgz does not validate

bugzilla-daemon-2
In reply to this post by bugzilla-daemon-2
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7765

--- Comment #3 from Kevin A. McGrail <[hidden email]> ---
Agreed.  Do you have suggest language to fix?

--
You are receiving this mail because:
You are the assignee for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug 7765] Mail-SpamAssassin-rules-3.4.2.r1840640.tgz does not validate

bugzilla-daemon-2
In reply to this post by bugzilla-daemon-2
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7765

--- Comment #4 from Arjen de Korte <[hidden email]> ---
Mentioning that the rules archive requires a different key (available from
https://spamassassin.apache.org/updates/GPG.KEY) would have tipped me off.

--
You are receiving this mail because:
You are the assignee for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug 7765] Mail-SpamAssassin-rules-3.4.2.r1840640.tgz does not validate

bugzilla-daemon-2
In reply to this post by bugzilla-daemon-2
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7765

Kevin A. McGrail <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|INVALID                     |FIXED

--- Comment #5 from Kevin A. McGrail <[hidden email]> ---
Thank you for your persistence.  I agree this is confusing and you'll find the
KEYS file should be clearer now:

Check  https://spamassassin.apache.org/KEYS and
https://www.apache.org/dist/spamassassin/KEYS

--
You are receiving this mail because:
You are the assignee for the bug.