Bug 136461 - "unsigned package" problems
"unsigned package" problems
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: distribution (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeremy Katz
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-20 05:22 EDT by Need Real Name
Modified: 2014-01-21 17:50 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-25 18:21:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2004-10-20 05:22:09 EDT
This might be a gpg problem.

Any package I try to download, I get an "unsigned package" problem.

e.g.
# yum install firefox
[snip]
Downloading Packages:
firefox-0.10.1-1.0PR1.10. 100% |=========================| 8.3 MB    00:10
unsigned package
//var/cache/yum/development/packages/firefox-0.10.1-1.0PR1.10.i386.rpm

or with up2date:
# up2date firefox
[snip]
firefox-0.10.1-1.0PR1.10.i3 ########################## Done.
The package firefox-0.10.1-1.0PR1.10 is not signed with a GPG
signature.  Aborting...
Package firefox-0.10.1-1.0PR1.10 does not have a GPG signature.
 Aborting...

Maybe the key needs importing:

# gpg --import /usr/share/rhn/RPM-GPG-KEY-fedora-test
gpg: failed to create temporary file
`/root/.gnupg/.#lk0x8e02998.simon.16566': No such file or directory
gpg: keyblock resource `/root/.gnupg/secring.gpg': general error
gpg: failed to create temporary file
`/root/.gnupg/.#lk0x8e05c40.simon.16566': No such file or directory
gpg: keyblock resource `/root/.gnupg/pubring.gpg': general error
gpg: no writable keyring found: eof
gpg: error reading `/usr/share/rhn/RPM-GPG-KEY-fedora-test': general error
gpg: import from `/usr/share/rhn/RPM-GPG-KEY-fedora-test' failed:
general error
gpg: Total number processed: 0
[root@simon sb]# gpg --import /usr/share/rhn/RPM-GPG-KEY-fedora-test
gpg: failed to create temporary file
`/root/.gnupg/.#lk0x8b5f998.box.16570': No such file or directory
gpg: keyblock resource `/root/.gnupg/secring.gpg': general error
gpg: failed to create temporary file
`/root/.gnupg/.#lk0x8b62c40.box.16570': No such file or directory
gpg: keyblock resource `/root/.gnupg/pubring.gpg': general error
gpg: no writable keyring found: eof
gpg: error reading `/usr/share/rhn/RPM-GPG-KEY-fedora-test': general error
gpg: import from `/usr/share/rhn/RPM-GPG-KEY-fedora-test' failed:
general error
gpg: Total number processed: 0

I'm running that as root.
Comment 1 Need Real Name 2004-10-20 06:53:32 EDT
Not all rawhide packages are signed. Reassigning.
Comment 2 Need Real Name 2004-10-25 17:02:41 EDT
"All official updates for Red Hat products are digitally signed and 
should not be installed unless they are correctly signed and the 
signature is verified."
 -- http://www.redhat.com/security/


No they're not. Does this mean the updates I installed are not valid?
Comment 3 Seth Vidal 2004-10-25 18:21:17 EDT
1. fedora core is not a product, it is a project.
2. releases from rawhide are not official.
Comment 4 Féliciano Matias 2004-10-26 06:26:13 EDT
> 1. fedora core is not a product, it is a project.

There are "Fedora Project" and "Fedore Core".
http://fedora.redhat.com/
* "The goal of The Fedora Project is to work with the Linux community
to build a complete, general purpose operating system exclusively from
free software."

An operating system is also a "product".

Here, you can buy the "product" not the projet :
http://fedora.redhat.com/download/vendors.html

The point here, is not to sign the projet but the "product" known as
"Fedora Core".

Here you can get the latest official snapshot of Rawhide (Rawhide is
"produced" by the Fedora projet) :
http://fedora.redhat.com/download/test.html

> 2. releases from rawhide are not official.
FC3T1
http://www.redhat.com/archives/fedora-announce-list/2004-July/msg00012.html
FC3T2
http://www.redhat.com/archives/fedora-announce-list/2004-September/msg00024.html
FC3T3
http://www.redhat.com/archives/fedora-announce-list/2004-October/msg00005.html

A test release is a rawhide snapshot.

All packages are signed.
Iso come with a signed MD5SUM :
$ gpg --verify MD5SUM
gpg: Signature faite mer 06 oct 2004 18:58:49 CEST avec la clé DSA ID
4F2A6FD2
gpg: Bonne signature de "Fedora Project <fedora@redhat.com>"

Note You need to log in before you can comment on or make changes to this bug.