120503 – Some packages are signed with unknown GPG signatures

Bug 120503 - Some packages are signed with unknown GPG signatures

Summary: Some packages are signed with unknown GPG signatures

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	up2date
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Bret McMillan
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	124619
TreeView+	depends on / blocked

Reported:	2004-04-09 15:57 UTC by George Dunlap
Modified:	2007-11-30 22:10 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2006-10-29 14:37:33 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description George Dunlap 2004-04-09 15:57:41 UTC

Description of problem:
The following packages complain that "Package x is signed with an
unknown GPG signature."  It's only a handful of packages, most of them
work.  The ones that don't work so far:

Canna
ImageMajick
apr
beecrypt
esound*
file
gdb
libxml(-devel)
libxml2
openssl*

Version-Release number of selected component (if applicable):


How reproducible:
n/a

Steps to Reproduce:
1. Upgrade from RH9 to FC2-test2
2. sudo up2date -u up2date
3. Run up2date-gnome from the RHN notifier applet
  
Actual results:
 Several packages complain that "Package x is signed with an unknown
GPG signature.  Continue?"

Expected results:
All automated

Additional info:

Comment 1 Michael Schwendt 2004-04-16 23:46:55 UTC

Not all packages in Fedora Core "development" tree are signed. Run
"rpm -Kv" on a package file to see whether it is signed or not, e.g.
this one is not signed:

$ rpm -Kv a2ps-4.13b-37.i386.rpm 
a2ps-4.13b-37.i386.rpm:
    Header SHA1 digest: OK (fb065af05d8c75dbf1fce766697dd533251facbd)
    MD5 digest: OK (d569ee382daa9d0964397ab4822e66dd)

The following is signed with 'RPM-GPG-KEY-fedora-test' key:

$ rpm -Kv ImageMagick-5.5.7.15-1.3.i386.rpm 
ImageMagick-5.5.7.15-1.3.i386.rpm:
    Header V3 DSA signature: OK, key ID 30c9ecf8
    Header SHA1 digest: OK (ae225423d46d14e42eeb3f3cfe77acd13a42546a)
    MD5 digest: OK (cac12eb3a66c5bcaea2f8c6dde517ff6)
    V3 DSA signature: OK, key ID 30c9ecf8

Comment 2 Dimitri Papadopoulos 2004-04-19 11:48:27 UTC

That's still the case with the latest binutils-2.15.90.0.3-1:

# rpm -K /var/spool/up2date/binutils-2.15.90.0.3-1.i386.rpm
/var/spool/up2date/binutils-2.15.90.0.3-1.i386.rpm: (SHA1) DSA sha1
md5 (GPG) NOT OK (MISSING KEYS: GPG#30c9ecf8)
#

Comment 3 Michael Schwendt 2004-04-19 14:32:55 UTC

No, Dimitri: 

  MISSING KEYS: GPG#30c9ecf8

You have not installed the key yet. See comment 1.

Comment 4 Claude Walston 2004-04-23 21:00:30 UTC

In reference to comment #3;
1. How/Where does one get the key (0x30C9ECF8)
2. How does one install it after one gets it?

I installed test2 from scratch and have been unable to update 
anything! The few "instructions" that I have found concerning adding
gpg-pubkey-... have not worked for anything I have tried yet.
None of the docu (which I have looked at so far) has an example.

Thanks in advance for further comments.

Comment 5 John Thacker 2006-10-29 14:37:33 UTC

Note that FC1 and FC2 are no longer supported even by Fedora Legacy, and FC3 and
FC4 are supported by Fedora Legacy only for security issues.  Please retest this
bug against a still supported version and retest.  If this still occurs on FC3
or FC4 and is a security issue, please reopen the bug and assign it to that
version and Fedora Legacy.  If it occurs on RHEL, please change to that product
and the appropriate version.

Note that up2date has been replaced by pirut/pup for FC5 and FC6, the only
fully-supported versions of Fedora Core.  Please test pirut for software updates
and file bugs as appropriate.

Note You need to log in before you can comment on or make changes to this bug.