SA Bugzilla – Bug 7765
Mail-SpamAssassin-rules-3.4.2.r1840640.tgz does not validate
Last modified: 2019-11-03 15:59:09 UTC
This archive seems to be signed with an unknown key (RSA key 6C55397824F434CE). The key in the https://www.apache.org/dist/spamassassin/KEYS is RSA key FDE52F40F7D39814.
That is a rule file. In the sa-update man page you will see it documented: --gpgkey sa-update has the concept of "release trusted" GPG keys. When an archive is downloaded and the signature verified, sa-update requires that the signature be from one of these "release trusted" keys or else verifi[36;1H: cation fails. This prevents third parties from manipulating the files on a mirror, for instance, and sign[36;1H: ing with their own key. By default, sa-update trusts key ids "24F434CE" and "5244EC45", which are the standard SpamAssassin release key and its sub-key. Use this option to trust additional keys. See the --import option for how to add keys to sa-update's keyring. For sa-update to use a key it must be in sa-update's keyring and trusted. For multiple keys, use the option multiple times. i.e.: sa-update --gpgkey E580B363 --gpgkey 298BC7D0 Note: use of this option automatically enables GPG verification.
The reason for submitting this bug, was the following text on https://spamassassin.apache.org/downloads.cgi?update=201809160000 "GPG Signing Key If you want to use GPG to verify the downloads listed above, please use the SpamAssassin Release GPG Keys to verify them." The rules file is one of the files mentioned above and is listed with a GPG signature. It is mentioned nowhere on this page that verifying this archive requires a different key.
Agreed. Do you have suggest language to fix?
Mentioning that the rules archive requires a different key (available from https://spamassassin.apache.org/updates/GPG.KEY) would have tipped me off.
Thank you for your persistence. I agree this is confusing and you'll find the KEYS file should be clearer now: Check https://spamassassin.apache.org/KEYS and https://www.apache.org/dist/spamassassin/KEYS