135333 – package *** does not have a valid GPG signature

Bug 135333 - package *** does not have a valid GPG signature

Summary: package *** does not have a valid GPG signature

Keywords:
Status:	CLOSED DUPLICATE of bug 108652
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	up2date
Sub Component:
Version:	2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Adrian Likins
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-10-12 01:05 UTC by Andre Robatino
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2006-04-22 15:15:12 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Andre Robatino 2004-10-12 01:05:59 UTC

Description of problem:
  up2date hangs while downloading a package, and then gives an error
message claiming that the GPG signature is bad.  The actual problem is
that the download ended prematurely and the file is merely truncated.

Version-Release number of selected component (if applicable):
up2date-4.3.19-1

How reproducible:
rarely

Steps to Reproduce:
1.  Try to download new packages using up2date.
  
Actual results:
  Download hangs on one of the packages.  After several minutes, an
error appears that the GPG signature is bad, even though the package
hasn't finished downloading.

Expected results:
  up2date should either resume the download and wait to check the GPG
signature until it's finished, or if it can't resume the download, it
should say so and resume it the next time it is run.  The GPG check
should never be done until the download is finished.

Additional info:
  I ran it from the command line:

[root@localhost andre]# up2date
http://fedora.redhat.com/download/up2date-mirrors/fedora-core-2
using mirror: http://mirrors.kernel.org/fedora/core/2/i386/os/
http://fedora.redhat.com/download/up2date-mirrors/updates-released-fc2
using mirror:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/i386/
[root@localhost andre]#

  There is no error message either in stdout or in /var/log/up2date,
despite the error in the dialog box.  I also know from previous
experience that a partially downloaded RPM (which is saved in
/var/spool/up2date) is not used to resume the download if up2date is
run again, although it should be.  I copied the error message from an
earlier bug report since I neglected to write down the one from the
dialog box, but presumably it's the same.  This is the same as bug
#86527, bug #85808 and bug #70112 which were closed prematurely, with
the exception that up2date no longer shows error messages on the
command line when the download fails.

Comment 1 Andre Robatino 2004-10-14 18:31:55 UTC

  Experienced the problem again.  The dialog box message is

The package libtiff-3.5.7-20.2 does not have a valid GPG signature.
It has been tampered with or corrupted.  Continue?

  As stated above, truncation is NOT corruption.

Comment 2 Matthew Miller 2005-04-26 16:17:22 UTC

Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.

Comment 3 Todd Warner 2005-09-23 22:45:54 UTC

sounds really familiar. Adrian?

Comment 4 David Lawrence 2006-04-18 20:07:59 UTC

NEEDINFO_ENG has been deprecated in favor of NEEDINFO or ASSIGNED. Changing
status to ASSIGNED for ENG review.

Comment 5 John Thacker 2006-04-22 15:15:12 UTC

This is basically one of the several "up2date does not handle failures
gracefully" bugs, whether downloading, bad packages, or interruptions.

*** This bug has been marked as a duplicate of 108652 ***

Note You need to log in before you can comment on or make changes to this bug.