Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 155425 - fedora keys should not be downloaded
fedora keys should not be downloaded
Product: Fedora
Classification: Fedora
Component: fedora-release (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Elliot Lee
: Security
: 157144 (view as bug list)
Depends On:
Blocks: FC4Blocker
  Show dependency treegraph
Reported: 2005-04-20 03:52 EDT by Martin Welss
Modified: 2014-01-21 17:51 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-05-22 17:38:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Martin Welss 2005-04-20 03:52:04 EDT
Description of problem:
the key to verify packages of fedora and fedora-extras should be part of the
installation iso-image to prevent spoofing

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.fedora core just installed 
2.yum install xloxkmore
3. ... yum downloads asks to import the key ....

Actual results:

Expected results:

Additional info:
Comment 1 Marius Andreiana 2005-04-21 12:20:08 EDT
They are:
rpm --import /usr/share/doc/fedora-release-*/RPM-GPG-KEY*

But they should be automatically imported at install time (or during first boot?)
Comment 2 Jeremy Katz 2005-04-21 13:44:27 EDT
We should change fedora-release to specify the path to the key... which probably
is going to mean moving them out of just being in
/usr/share/doc/fedora-release-version to somewhere more predictable (without the
Comment 3 Elliot Lee 2005-05-11 19:00:08 EDT
What specific actions in which packages are needed to resolve this bug? If
someone doesn't use up2date, is there anything that does an auto-import of the keys?
Comment 4 Seth Vidal 2005-05-11 19:50:53 EDT
yum auto-imports the keys, yes.

if a repo has gpgkey=url://to/key (file:// urls allowed) then if/when a package
from that repo is downloaded and a gpg key verification is needed then the key
will be downloaded/imported.
Comment 5 Warren Togami 2005-05-16 04:48:23 EDT
/usr/share/doc is also bad of a location because they can be excluded from
installation with rpm --excludedocs.

So this is really two fixes:
* yum repo definitions shipped in FC should have gpgkey=url:// point at a local
file rather than remote file.
* /etc/somewhere is a logical place to put these keys.
Comment 6 Warren Togami 2005-05-19 02:43:52 EDT
up2date ships its own copy of the Fedora keys in /usr/share/rhn/  Nothing should
rely on anything in /usr/share/doc.

Elliot do you want to go ahead with the suggestions in Comment #4 and #5?  That
is 1) Move the keys in fedora-release into a non-versioned and non-doc
directory, and
2) point yum to those local files rather than a network URL for downloading keys.
Comment 7 Elliot Lee 2005-05-19 09:53:54 EDT
already fixed in CVS.
Comment 8 Miloslav Trmač 2005-05-20 10:30:56 EDT
*** Bug 157144 has been marked as a duplicate of this bug. ***
Comment 9 Warren Togami 2005-05-21 20:05:12 EDT
Unless I am totally misunderstanding this situation, this needs fixing in both
fedora-release and yum.  fedora-release needs the key files to exist somewhere
outside of %doc dirs, while yum needs gpgkeys= to local file URLs to find them.
Comment 10 Roozbeh Pournader 2005-05-22 06:39:39 EDT
Warren, I guess you are mistaken. yum repository data is actually in the
fedora-release package, as far as I know.
Comment 11 Warren Togami 2005-05-22 07:06:28 EDT
OK, yum doesn't need changing, but fedora-release does.

FC4-0520.0 candidate tree contains fedora-release-3.92-1.
/etc/yum.repos.d/ still contains

The .repo files in CVS do use file:// URLs, but they still install keys using
%doc which is wrong.  rpm --excludedocs would break this, which is supposed to
be a supported way of using the operating system.

The RPM GPG keys should be installed anywhere but %doc.  up2date installs
another copy into /usr/share/rhn.  Where should we put the fedora-release copy?
Comment 12 Elliot Lee 2005-05-22 17:38:39 EDT
Under /usr/share/doc is fine. Stop reopening this bug already.
Comment 13 Warren Togami 2005-05-22 17:40:21 EDT
Would it be wrong if I moved it out of /usr/share/doc?  Please don't depend on
anything in /usr/share/doc...
Comment 14 Warren Togami 2005-05-25 05:13:11 EDT
After subsequent discussion it was decided to move RPM-GPG-KEY* into an
unchanging named directory.  /etc/pki/rpm-gpg seems appropriate.  This is now
checked into CVS for fedora-release-4-1.

Note You need to log in before you can comment on or make changes to this bug.