Bug 121833

Summary: Rawhide gpg key on pgp.mit.edu imports to rpm incorrectly.
Product: Red Hat Enterprise Linux 3 Reporter: Bob Drzyzgula <bob>
Component: rpmAssignee: Jeff Johnson <jbj>
Status: CLOSED DEFERRED QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: msw, noa
Target Milestone: ---   
Target Release: ---   
Hardware: athlon   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-04 13:38:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Script that demostrates this bug none

Description Bob Drzyzgula 2004-04-28 13:28:48 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2)
Gecko/20021120 Netscape/7.01

Description of problem:
According to <http://www.redhat.com/security/team/key.html>, one can
obtain the Rawhide (BETA) package signing key from a pgp keyserver,
e.g.  <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x897DA07A>.
However, while the key one obtains from this URL appears to work in
GPG, this key imports incorrectly to RPM, causing subsequent calls to
"rpm --checksig" to fail on properly-signed rawhide packages. The
problem seems to be that RPM incorrectly extracts the keyid from the
key, labeling the resulting RPM package as
gpg-pubkey-5e1f1bce-3e4f0a9a, and rpm can thus not find a 897da07a key
when veryifying a rawhide package.

The keys distributed in /usr/share/rhn/BETA-RPM-GPG-KEY and from the
URL <http://www.redhat.com/security/897da07a.txt> do not have this
problem.

Note also that, when the RPM package resulting from the import of the
pgp key is queried (e.g. with rpm -qi gpg-pubkey-5e1f1bce-3e4f0a9a),
the ascii-armored key that is displayed remains usable in gpg as being
for keyid 897da07a.



Version-Release number of selected component (if applicable):
rpm-4.2.1-4.4

How reproducible:
Always

Steps to Reproduce:
1. If one is already installed, delete any current rawhide GPG key
from the RPM database by e.g. rpm -e gpg-pubkey-897da07a-3c979a7f

2. Download Rawhide GPG key from pgp.mit.edu, by e.g.
wget -O 897DA07A.pgp
'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x897DA07A'

3. Import this key to the rpm database, by e.g. rpm --import 897DA07A.pgp

4. Search for this gpg key in the rpm database, by e.g. rpm -qa
'gpg-pubkey*'
    

Actual Results:  The key gets imported as gpg-pubkey-5e1f1bce-3e4f0a9a

Expected Results:  The key should be imported as
gpg-pubkey-897da07a-3c979a7f (or at least something containing 897da07a). 

Additional info:

Following is the output of a test script (redacted to remove private
proxy host addresses) that will be attached to this bug report.

+ wget -O 897DA07A.pgp
'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x897DA07A'
--09:09:59--  http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x897DA07A
           => `897DA07A.pgp'
Resolving <redacted>... done.
Connecting to <redacted>[<redacted>]:8080... connected.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
                                                                     
                                                                     
                                                         
    0K ..                                                        2.01 MB/s
                                                                     
                                                                     
                                                         
09:09:59 (2.01 MB/s) - `897DA07A.pgp' saved [2109]
                                                                     
                                                                     
                                                         
+ wget -O 897DA07A.redhat http://www.redhat.com/security/897da07a.txt
--09:09:59--  http://www.redhat.com/security/897da07a.txt
           => `897DA07A.redhat'
Resolving <redacted>... done.
Connecting to <redacted>[<redacted>]:8080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 1,768 [text/plain]
                                                                     
                                                                     
                                                         
    0K .                                                     100%   
1.69 MB/s
                                                                     
                                                                     
                                                         
09:09:59 (1.69 MB/s) - `897DA07A.redhat' saved [1768/1768]
                                                                     
                                                                     
                                                         
++ rpm -qa 'gpg-pubkey*'
+ rpm -e gpg-pubkey-5e1f1bce-3e4f0a9a gpg-pubkey-897da07a-3c979a7f
+ rpm -qa 'gpg-pubkey*'
+ gpg --batch --yes --delete-keys 897DA07A
+ gpg --import 897DA07A.pgp
gpg: key 897DA07A: public key "Red Hat, Inc. (Beta Test Software)
<rawhide>" imported
gpg: Total number processed: 1
gpg:               imported: 1
+ gpg --import 897DA07A.redhat
gpg: key 897DA07A: "Red Hat, Inc. (Beta Test Software)
<rawhide>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
+ rpm --import 897DA07A.redhat
+ rpm -qa 'gpg-pubkey*'
gpg-pubkey-897da07a-3c979a7f
+ rpm --import 897DA07A.pgp
+ rpm -qa 'gpg-pubkey*'
gpg-pubkey-897da07a-3c979a7f
gpg-pubkey-5e1f1bce-3e4f0a9a
++ rpm -qa 'gpg-pubkey*'
+ rpm -qi gpg-pubkey-897da07a-3c979a7f
+ rpm -qi gpg-pubkey-5e1f1bce-3e4f0a9a
+ gpg --import gpg-pubkey-5e1f1bce-3e4f0a9a.rpmqi
gpg: key 897DA07A: "Red Hat, Inc. (Beta Test Software)
<rawhide>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
+ gpg --import gpg-pubkey-897da07a-3c979a7f.rpmqi
gpg: key 897DA07A: "Red Hat, Inc. (Beta Test Software)
<rawhide>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
Comment 1 Bob Drzyzgula 2004-04-28 13:34:15 UTC 
Created attachment 99736 [details]
Script that demostrates this bug

NOTE AND WARNING: DO NOT RUN THIS SCRIPT ON A PRODUCTION SYSTEM. This script
will connect to the internet to retrieve GPG keys, and will manipulate the
current user's GPG keyring and the local system's RPM datbase. Sample output is
included in the main body of the bug report.
Comment 2 Jeff Johnson 2004-05-04 13:38:15 UTC 
Yup.

The easiest work around is to load the rawhide key
from the web site, not from the key server.
Comment 3 Noa Resare 2004-05-21 18:29:38 UTC 
Another workaround is to import the key to your local gpg keyring and
remove all signatures except the self signature and export the key
again. When imported into the rpm keyring the id is detected correctly.