Red Hat Bugzilla – Bug 113658
RFE: Better error message when installing packages not signed by trusted key
Last modified: 2007-11-30 17:07:00 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; Linux) Description of problem: When installing a package that's not signed by an organization who's public key has been imported into RPM, a message like the following pops up: "warning: foobar-3.5-1.i386.rpm: V3 DSA signature > NOKEY, key ID 34ab95ba" I'm a contract RHCX, and I notice that a lot of experienced customers find this warning confusing. Could it be replaced by, or be accompanied by, something more decipherable? "warning: package not signed by organization with trusted signature" might be a good start. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Install a package not signed by an organization whose public key is trusted by RPM Additional info:
There's more than text that needs change, as rpm signatures have only a primitive and ill-defined concept of trust atm. Currently it's up to the user to import keys, existence (or lack thereof) of the key is only mechanism. Adding terms like "organization" and "trusted" will only muddle and confuse issues regarding pubkey management imho. The plan is to distribute and import public keys in packages. Yes, the message is pugly and nerdy, will be fixed as rpm starts to get a better definition for trust. Deferred until then.