Red Hat Bugzilla – Bug 135333
package *** does not have a valid GPG signature
Last modified: 2007-11-30 17:10:51 EST
Description of problem: up2date hangs while downloading a package, and then gives an error message claiming that the GPG signature is bad. The actual problem is that the download ended prematurely and the file is merely truncated. Version-Release number of selected component (if applicable): up2date-4.3.19-1 How reproducible: rarely Steps to Reproduce: 1. Try to download new packages using up2date. Actual results: Download hangs on one of the packages. After several minutes, an error appears that the GPG signature is bad, even though the package hasn't finished downloading. Expected results: up2date should either resume the download and wait to check the GPG signature until it's finished, or if it can't resume the download, it should say so and resume it the next time it is run. The GPG check should never be done until the download is finished. Additional info: I ran it from the command line: [root@localhost andre]# up2date http://fedora.redhat.com/download/up2date-mirrors/fedora-core-2 using mirror: http://mirrors.kernel.org/fedora/core/2/i386/os/ http://fedora.redhat.com/download/up2date-mirrors/updates-released-fc2 using mirror: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/i386/ [root@localhost andre]# There is no error message either in stdout or in /var/log/up2date, despite the error in the dialog box. I also know from previous experience that a partially downloaded RPM (which is saved in /var/spool/up2date) is not used to resume the download if up2date is run again, although it should be. I copied the error message from an earlier bug report since I neglected to write down the one from the dialog box, but presumably it's the same. This is the same as bug #86527, bug #85808 and bug #70112 which were closed prematurely, with the exception that up2date no longer shows error messages on the command line when the download fails.
Experienced the problem again. The dialog box message is The package libtiff-3.5.7-20.2 does not have a valid GPG signature. It has been tampered with or corrupted. Continue? As stated above, truncation is NOT corruption.
Fedora Core 2 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC3 updates or in the FC4 test release, reopen and change the version to match.
sounds really familiar. Adrian?
NEEDINFO_ENG has been deprecated in favor of NEEDINFO or ASSIGNED. Changing status to ASSIGNED for ENG review.
This is basically one of the several "up2date does not handle failures gracefully" bugs, whether downloading, bad packages, or interruptions. *** This bug has been marked as a duplicate of 108652 ***