Bug 120503

Summary: Some packages are signed with unknown GPG signatures
Product: [Fedora] Fedora Reporter: George Dunlap <dunlapg>
Component: up2dateAssignee: Bret McMillan <bretm>
Status: CLOSED CANTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-29 14:37:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 124619    

Description George Dunlap 2004-04-09 15:57:41 UTC 
Description of problem:
The following packages complain that "Package x is signed with an
unknown GPG signature."  It's only a handful of packages, most of them
work.  The ones that don't work so far:

Canna
ImageMajick
apr
beecrypt
esound*
file
gdb
libxml(-devel)
libxml2
openssl*

Version-Release number of selected component (if applicable):


How reproducible:
n/a

Steps to Reproduce:
1. Upgrade from RH9 to FC2-test2
2. sudo up2date -u up2date
3. Run up2date-gnome from the RHN notifier applet
  
Actual results:
 Several packages complain that "Package x is signed with an unknown
GPG signature.  Continue?"

Expected results:
All automated

Additional info:
Comment 1 Michael Schwendt 2004-04-16 23:46:55 UTC 
Not all packages in Fedora Core "development" tree are signed. Run
"rpm -Kv" on a package file to see whether it is signed or not, e.g.
this one is not signed:

$ rpm -Kv a2ps-4.13b-37.i386.rpm 
a2ps-4.13b-37.i386.rpm:
    Header SHA1 digest: OK (fb065af05d8c75dbf1fce766697dd533251facbd)
    MD5 digest: OK (d569ee382daa9d0964397ab4822e66dd)

The following is signed with 'RPM-GPG-KEY-fedora-test' key:

$ rpm -Kv ImageMagick-5.5.7.15-1.3.i386.rpm 
ImageMagick-5.5.7.15-1.3.i386.rpm:
    Header V3 DSA signature: OK, key ID 30c9ecf8
    Header SHA1 digest: OK (ae225423d46d14e42eeb3f3cfe77acd13a42546a)
    MD5 digest: OK (cac12eb3a66c5bcaea2f8c6dde517ff6)
    V3 DSA signature: OK, key ID 30c9ecf8
Comment 2 Dimitri Papadopoulos 2004-04-19 11:48:27 UTC 
That's still the case with the latest binutils-2.15.90.0.3-1:

# rpm -K /var/spool/up2date/binutils-2.15.90.0.3-1.i386.rpm
/var/spool/up2date/binutils-2.15.90.0.3-1.i386.rpm: (SHA1) DSA sha1
md5 (GPG) NOT OK (MISSING KEYS: GPG#30c9ecf8)
#
Comment 3 Michael Schwendt 2004-04-19 14:32:55 UTC 
No, Dimitri: 

  MISSING KEYS: GPG#30c9ecf8

You have not installed the key yet. See comment 1.
Comment 4 Claude Walston 2004-04-23 21:00:30 UTC 
In reference to comment #3;
1. How/Where does one get the key (0x30C9ECF8)
2. How does one install it after one gets it?

I installed test2 from scratch and have been unable to update 
anything! The few "instructions" that I have found concerning adding
gpg-pubkey-... have not worked for anything I have tried yet.
None of the docu (which I have looked at so far) has an example.

Thanks in advance for further comments.
Comment 5 John Thacker 2006-10-29 14:37:33 UTC 
Note that FC1 and FC2 are no longer supported even by Fedora Legacy, and FC3 and
FC4 are supported by Fedora Legacy only for security issues.  Please retest this
bug against a still supported version and retest.  If this still occurs on FC3
or FC4 and is a security issue, please reopen the bug and assign it to that
version and Fedora Legacy.  If it occurs on RHEL, please change to that product
and the appropriate version.

Note that up2date has been replaced by pirut/pup for FC5 and FC6, the only
fully-supported versions of Fedora Core.  Please test pirut for software updates
and file bugs as appropriate.