Description of problem: the fedora keys to verify packages should be part of the installation iso-image to prevent spoofing Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. install fedora 2. run up2date-gui 3. up2date wants to download a key Actual results: Expected results: Additional info:
A workaround is to use up2date-config, unclick on "Use GPG to verify package integrity" under Retrieval / Installation and save.
Does up2date download it or grab it from /usr/share/rhn/...?
good point! it justs asks if I want to install the key, but does not say from where... so it might be from /usr/share/rhn
It imports from /usr/share/rhn which is not a bug and doesnt have a chance of being spoofed