Bug 3139
Summary: | rpm-3.0.1-12.5.2.i386.rpm corrupt? | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | youngej |
Component: | rpm | Assignee: | Jeff Johnson <jbj> |
Status: | CLOSED WORKSFORME | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.2 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 1999-05-29 18:15:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
youngej
1999-05-29 11:31:19 UTC
I signed the rpm-3.0.1-* with gpg as well as pgp2.6.3. If pgp verifies, then the package is OK. AFAIK this is the first set of packages ever to be signed with gpg. As for gpg, I used gnupg-0.9.7 which is probably newer than the version that you are using. Could you verify whether the problem persists if you upgrade to gnupg-0.9.7? Thanks I signed the rpm-3.0.1-* with gpg as well as pgp2.6.3. If pgp verifies, then the package is OK. AFAIK this is the first set of packages ever to be signed with gpg. As for gpg, I used gnupg-0.9.7 which is probably newer than the version that you are using. Could you verify whether the problem persists if you upgrade to gnupg-0.9.7? Thanks What I really want to do is test a .rpm file to see if it has survived download intact. I don't understand how to use the PGP or GPG checking. So I issued a command which would check size and MD5 only. The --nopgp is supposed to cut off sig checking. It apparently didn't. Perhaps --nopgp should really be --nosigchk or you should add --nogpg? In the mean time I'm trying to figure out how to do a sig check... Ah, then you need to add "--nogpg" to the command line. You may use popt to implement --nosigchk. Put the following in /etc/popt rpm alias --nosigchk --nopgp --nogpg If you want to actually check signatures, then install pgp2.6.3 from ftp.replay.com. I have downloaded and installed pgp-2.6.3usa3, cmp'd both rufus and replay downloads, they were the same, so pgp shoud be good. I added the key in /usr/doc/rpm-3.0.1/RPM-PGP-KEY I get the following: # rpm -K rpm-3.0.1-12.5.2.i386.rpm rpm-3.0.1-12.5.2.i386.rpm: size (PGP) md5 (GPG) OK (MISSING KEYS: PGP#73B83325 GPG#1759C6EC) Is rpm itself signed under yet another key (not RedHat's)? I've been RTFM'ing for the last 2 hours on where to get additional keys (PGP and GPG). Any hints here? Other RedHat packages, like netscape-*.rpm updates, do check out OK for RedHat's PGP. I would be glad to test the GPG on rpm-3.0.1-12.5.2.i386.rpm and report here if I could only figure out where to get keys... BTW, thanks for the help. Yes the rpm rpm was signed by me, not by Red Hat. Send me mail (jbj) if you wish my keys. |