Hardcoded GPG keys in build are creating a dependency
pmcfadin opened this issue · 1 comments
The current dockerbuild template for Cassandra has hardcoded 4 members of the Cassandra PMC. Today's 4.0 release was built by a 5th person and as a result, broke on the key signing check.
Lines 65 to 74 in 08bea51
A PR has been issued to add the 5th person, but this feels like a ticking time bomb dependency.
Ideally, the correct place to pull keys would be from the official ASF keys file for the project that authorizes the builds: https://dist.apache.org/repos/dist/release/cassandra/KEYS
I have 2 PRs to address this. One to simply add the key that was used to create the 4.0 release (PR #235). Another to import all the ASF keys for Cassandra (PR #237). Either PR should resolve the recent 4.0 Docker image build problem here. But as @pmcfadin said, adding all of the ASF keys will prevent the build from failing in the future should a new GPG key be used to create the tag/release.