Bug 121833 - Rawhide gpg key on pgp.mit.edu imports to rpm incorrectly.
Rawhide gpg key on pgp.mit.edu imports to rpm incorrectly.
Status: CLOSED DEFERRED
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: rpm (Show other bugs)
3.0
athlon Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
Mike McLean
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-28 09:28 EDT by Bob Drzyzgula
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-04 09:38:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Script that demostrates this bug (523 bytes, text/plain)
2004-04-28 09:34 EDT, Bob Drzyzgula
no flags Details

  None (edit)
Description Bob Drzyzgula 2004-04-28 09:28:48 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2)
Gecko/20021120 Netscape/7.01

Description of problem:
According to <http://www.redhat.com/security/team/key.html>, one can
obtain the Rawhide (BETA) package signing key from a pgp keyserver,
e.g.  <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x897DA07A>.
However, while the key one obtains from this URL appears to work in
GPG, this key imports incorrectly to RPM, causing subsequent calls to
"rpm --checksig" to fail on properly-signed rawhide packages. The
problem seems to be that RPM incorrectly extracts the keyid from the
key, labeling the resulting RPM package as
gpg-pubkey-5e1f1bce-3e4f0a9a, and rpm can thus not find a 897da07a key
when veryifying a rawhide package.

The keys distributed in /usr/share/rhn/BETA-RPM-GPG-KEY and from the
URL <http://www.redhat.com/security/897da07a.txt> do not have this
problem.

Note also that, when the RPM package resulting from the import of the
pgp key is queried (e.g. with rpm -qi gpg-pubkey-5e1f1bce-3e4f0a9a),
the ascii-armored key that is displayed remains usable in gpg as being
for keyid 897da07a.



Version-Release number of selected component (if applicable):
rpm-4.2.1-4.4

How reproducible:
Always

Steps to Reproduce:
1. If one is already installed, delete any current rawhide GPG key
from the RPM database by e.g. rpm -e gpg-pubkey-897da07a-3c979a7f

2. Download Rawhide GPG key from pgp.mit.edu, by e.g.
wget -O 897DA07A.pgp
'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x897DA07A'

3. Import this key to the rpm database, by e.g. rpm --import 897DA07A.pgp

4. Search for this gpg key in the rpm database, by e.g. rpm -qa
'gpg-pubkey*'
    

Actual Results:  The key gets imported as gpg-pubkey-5e1f1bce-3e4f0a9a

Expected Results:  The key should be imported as
gpg-pubkey-897da07a-3c979a7f (or at least something containing 897da07a). 

Additional info:

Following is the output of a test script (redacted to remove private
proxy host addresses) that will be attached to this bug report.

+ wget -O 897DA07A.pgp
'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x897DA07A'
--09:09:59--  http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x897DA07A
           => `897DA07A.pgp'
Resolving <redacted>... done.
Connecting to <redacted>[<redacted>]:8080... connected.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
                                                                     
                                                                     
                                                         
    0K ..                                                        2.01 MB/s
                                                                     
                                                                     
                                                         
09:09:59 (2.01 MB/s) - `897DA07A.pgp' saved [2109]
                                                                     
                                                                     
                                                         
+ wget -O 897DA07A.redhat http://www.redhat.com/security/897da07a.txt
--09:09:59--  http://www.redhat.com/security/897da07a.txt
           => `897DA07A.redhat'
Resolving <redacted>... done.
Connecting to <redacted>[<redacted>]:8080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 1,768 [text/plain]
                                                                     
                                                                     
                                                         
    0K .                                                     100%   
1.69 MB/s
                                                                     
                                                                     
                                                         
09:09:59 (1.69 MB/s) - `897DA07A.redhat' saved [1768/1768]
                                                                     
                                                                     
                                                         
++ rpm -qa 'gpg-pubkey*'
+ rpm -e gpg-pubkey-5e1f1bce-3e4f0a9a gpg-pubkey-897da07a-3c979a7f
+ rpm -qa 'gpg-pubkey*'
+ gpg --batch --yes --delete-keys 897DA07A
+ gpg --import 897DA07A.pgp
gpg: key 897DA07A: public key "Red Hat, Inc. (Beta Test Software)
<rawhide@redhat.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
+ gpg --import 897DA07A.redhat
gpg: key 897DA07A: "Red Hat, Inc. (Beta Test Software)
<rawhide@redhat.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
+ rpm --import 897DA07A.redhat
+ rpm -qa 'gpg-pubkey*'
gpg-pubkey-897da07a-3c979a7f
+ rpm --import 897DA07A.pgp
+ rpm -qa 'gpg-pubkey*'
gpg-pubkey-897da07a-3c979a7f
gpg-pubkey-5e1f1bce-3e4f0a9a
++ rpm -qa 'gpg-pubkey*'
+ rpm -qi gpg-pubkey-897da07a-3c979a7f
+ rpm -qi gpg-pubkey-5e1f1bce-3e4f0a9a
+ gpg --import gpg-pubkey-5e1f1bce-3e4f0a9a.rpmqi
gpg: key 897DA07A: "Red Hat, Inc. (Beta Test Software)
<rawhide@redhat.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
+ gpg --import gpg-pubkey-897da07a-3c979a7f.rpmqi
gpg: key 897DA07A: "Red Hat, Inc. (Beta Test Software)
<rawhide@redhat.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
Comment 1 Bob Drzyzgula 2004-04-28 09:34:15 EDT
Created attachment 99736 [details]
Script that demostrates this bug

NOTE AND WARNING: DO NOT RUN THIS SCRIPT ON A PRODUCTION SYSTEM. This script
will connect to the internet to retrieve GPG keys, and will manipulate the
current user's GPG keyring and the local system's RPM datbase. Sample output is
included in the main body of the bug report.
Comment 2 Jeff Johnson 2004-05-04 09:38:15 EDT
Yup.

The easiest work around is to load the rawhide key
from the web site, not from the key server.
Comment 3 Noa Resare 2004-05-21 14:29:38 EDT
Another workaround is to import the key to your local gpg keyring and
remove all signatures except the self signature and export the key
again. When imported into the rpm keyring the id is detected correctly.

Note You need to log in before you can comment on or make changes to this bug.