Bug 462234

Summary: pygpgme is signed with old key
Product: [Fedora] Fedora Reporter: Kasper Dupont <bugzilla>
Component: pygpgmeAssignee: Toshio Ernie Kuratomi <a.badger>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 8CC: ivazqueznet
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-15 04:30:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kasper Dupont 2008-09-14 17:09:52 UTC
Description of problem:
The only version of pygpgme that yum can download is signed with the old potentially compromised key.

Version-Release number of selected component (if applicable):
pygpgme-0.1-6.fc8.i386.rpm

How reproducible:
Always

Steps to Reproduce:
1. Update fedora-release
2. rpm -e gpg-pubkey-4f2a6fd2-3f9d9d3b
3. yum update
  
Actual results:
yum finds that some packages are signed with the old key and asks if I want to install it again.

Expected results:
yum would be able to find a version signed with the new key.

Additional info:
There were a few other packages with the same symptoms, but all the others existed in the DVD image I downloaded long before the compromise. pygpgme is the only package that yum depends on, which could not be found from any secure source.

Comment 1 Toshio Ernie Kuratomi 2008-09-15 04:30:40 UTC
This sounds like a problem that rel-eng might need to fix or it might be that rel-eng has only resigned the updates repo so far, not the packages in the Everything repo.  You can ask on fedora-devel-list or open a ticket in their issue tracker:

https://fedorahosted.org/rel-eng

This is not a bug in the individual package and shouldn't be fixed by action here, though.