Bug 169810

Summary: crontabs-1.10-7 is mis-signed NOKEY
Product: [Retired] Fedora Infrastructure Reporter: Dan Hollis <goemon>
Component: update systemAssignee: Luke Macken <lmacken>
Status: CLOSED DUPLICATE QA Contact: Bill Nottingham <notting>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: katzj, notting, pfrields, rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-03 22:08:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Hollis 2005-10-03 21:40:23 UTC 
Description of problem:
crontabs-1.10-7 is mis-signed NOKEY

Version-Release number of selected component (if applicable):
crontabs-1.10-7

How reproducible:
always

Steps to Reproduce:
1.rpm -e crontabs
2.yum install crontabs
3.profit
  
Actual results:
Downloading Packages:
(1/1): crontabs-1.10-7.no 100% |=========================| 5.0 kB    00:00     
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID db42a60e
Public key for crontabs-1.10-7.noarch.rpm is not installed
Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
GPG key at file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora (0x4F2A6FD2) is already
installed


The GPG keys listed for the "Fedora Core 4 - i386 - Base" repository are already
installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

Expected results:
It should install without borking.

Additional info:
Comment 1 Jason Vas Dias 2005-10-03 22:05:22 UTC 
Yes, it appears the crontabs package somehow escaped being signed, or was 
signed with the wrong key (the redhat key probably changed since this package
was modified).

All our packages are built without signing and are then signed when pushed to
the repository mirrors. 

Somehow crontabs was not signed with the current key:
# lftp download.fedora.redhat.com:/pub/fedora/linux/core/4/i386/os/Fedora/RPMS>
get crontabs-1.10-7.noarch.rpm
5121 bytes transferred
# rpm -qi gpg-pubkey-4f2a6fd2-3f9d9d3b
Name        : gpg-pubkey ...
# rpm -qp crontabs-1.10-7.noarch.rpm --checksig
warning: crontabs-1.10-7.noarch.rpm: Header V3 DSA signature: NOKEY, key ID db42a60e
crontabs-1.10-7

I agree that the crontabs RPM would be amongst the #1 targets to spoof 
for malicious hackers wanting to get their code running on other people's
systems, and ought to be signed. 

I've CC'ed those who are responsible for package signing on this bug report.
Comment 3 Bill Nottingham 2005-10-03 22:08:44 UTC 
a) this isn't an update package, it's a package from the base release
b) it's signed with the Red Hat security key

*** This bug has been marked as a duplicate of 166030 ***
Comment 4 Dan Hollis 2005-10-03 22:13:48 UTC 
once you rpm -e the package, you can no longer yum install it.

not a bug?
Comment 5 Bill Nottingham 2005-10-03 22:19:18 UTC 
You can import the key from /usr/share/rhn/RPM-GPG-KEY or
/usr/share/doc/fedora-release-4/RPM-GPG-KEY
Comment 6 Dan Hollis 2005-10-03 22:37:11 UTC 
yum (or is it rpm?) usually tries to install missing keys when it doesn't find them.

should /usr/share/doc/fedora-release-4/RPM-GPG-KEY be added to the list of
auto-install keys? (and why isnt the key installed by default?)
Comment 7 Seth Vidal 2005-10-03 23:13:05 UTC 
all the packages in base distro should be signed by the same key

the reason they were not is b/c it was a mistake.

and there's not much we can do about it now.
Comment 8 Dan Hollis 2005-10-03 23:25:27 UTC 
so this bugzilla should serve as a warning/reminder for FC5