When a public key is imported, rpm does not complain when no header is present. Here is how to reproduce the bug: Save http://fedora.redhat.com/about/security/30C9ECF8.txt in a file and remove the first two lines (the description of the key). Then, import the key. Although it seems it worked, the key cannot be used when verifying a package. I noticed it because initially I imported the keys from a public key server and I could not verify the packages. There is an other experience. Remove all public keys from the rpm database. Then import a key without the first two lines. Then 'rpm -qa gpg-pubkey*' outputs dozens of errors: error: rpmdbNextIterator: skipping h#: 1554 Header V3 DSA signature: BAD, key ID4f2a6fd2
Yup. rpm supports only a subset of OpenPGP, and it's up to the user to insure that the pubkey is correct and imported correctly. Yes, if you import a pubkey that associates the wrong fingerprint with the parameters, then every signature check will fail, and all headers read from the database will be identified as BAD.