Bug 120503 - Some packages are signed with unknown GPG signatures
Some packages are signed with unknown GPG signatures
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: up2date (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bret McMillan
:
Depends On:
Blocks: 124619
  Show dependency treegraph
 
Reported: 2004-04-09 11:57 EDT by George Dunlap
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-29 09:37:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description George Dunlap 2004-04-09 11:57:41 EDT
Description of problem:
The following packages complain that "Package x is signed with an
unknown GPG signature."  It's only a handful of packages, most of them
work.  The ones that don't work so far:

Canna
ImageMajick
apr
beecrypt
esound*
file
gdb
libxml(-devel)
libxml2
openssl*

Version-Release number of selected component (if applicable):


How reproducible:
n/a

Steps to Reproduce:
1. Upgrade from RH9 to FC2-test2
2. sudo up2date -u up2date
3. Run up2date-gnome from the RHN notifier applet
  
Actual results:
 Several packages complain that "Package x is signed with an unknown
GPG signature.  Continue?"

Expected results:
All automated

Additional info:
Comment 1 Michael Schwendt 2004-04-16 19:46:55 EDT
Not all packages in Fedora Core "development" tree are signed. Run
"rpm -Kv" on a package file to see whether it is signed or not, e.g.
this one is not signed:

$ rpm -Kv a2ps-4.13b-37.i386.rpm 
a2ps-4.13b-37.i386.rpm:
    Header SHA1 digest: OK (fb065af05d8c75dbf1fce766697dd533251facbd)
    MD5 digest: OK (d569ee382daa9d0964397ab4822e66dd)

The following is signed with 'RPM-GPG-KEY-fedora-test' key:

$ rpm -Kv ImageMagick-5.5.7.15-1.3.i386.rpm 
ImageMagick-5.5.7.15-1.3.i386.rpm:
    Header V3 DSA signature: OK, key ID 30c9ecf8
    Header SHA1 digest: OK (ae225423d46d14e42eeb3f3cfe77acd13a42546a)
    MD5 digest: OK (cac12eb3a66c5bcaea2f8c6dde517ff6)
    V3 DSA signature: OK, key ID 30c9ecf8
Comment 2 Dimitri Papadopoulos 2004-04-19 07:48:27 EDT
That's still the case with the latest binutils-2.15.90.0.3-1:

# rpm -K /var/spool/up2date/binutils-2.15.90.0.3-1.i386.rpm
/var/spool/up2date/binutils-2.15.90.0.3-1.i386.rpm: (SHA1) DSA sha1
md5 (GPG) NOT OK (MISSING KEYS: GPG#30c9ecf8)
# 
Comment 3 Michael Schwendt 2004-04-19 10:32:55 EDT
No, Dimitri: 

  MISSING KEYS: GPG#30c9ecf8

You have not installed the key yet. See comment 1.
Comment 4 Claude Walston 2004-04-23 17:00:30 EDT
In reference to comment #3;
1. How/Where does one get the key (0x30C9ECF8)
2. How does one install it after one gets it?

I installed test2 from scratch and have been unable to update 
anything! The few "instructions" that I have found concerning adding
gpg-pubkey-... have not worked for anything I have tried yet.
None of the docu (which I have looked at so far) has an example.

Thanks in advance for further comments.

  
Comment 5 John Thacker 2006-10-29 09:37:33 EST
Note that FC1 and FC2 are no longer supported even by Fedora Legacy, and FC3 and
FC4 are supported by Fedora Legacy only for security issues.  Please retest this
bug against a still supported version and retest.  If this still occurs on FC3
or FC4 and is a security issue, please reopen the bug and assign it to that
version and Fedora Legacy.  If it occurs on RHEL, please change to that product
and the appropriate version.

Note that up2date has been replaced by pirut/pup for FC5 and FC6, the only
fully-supported versions of Fedora Core.  Please test pirut for software updates
and file bugs as appropriate.

Note You need to log in before you can comment on or make changes to this bug.