Bug 167902 - Corrupt gpg key in package
Corrupt gpg key in package
Product: Fedora Infrastructure
Classification: Retired
Component: other (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Bill Nottingham
: 162302 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2005-09-09 07:13 EDT by Kenneth Porter
Modified: 2014-03-16 22:55 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-16 16:57:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kenneth Porter 2005-09-09 07:13:55 EDT
Attempting to install anaconda-help with "yum install anaconda-help" (using a
local repository) results in the following error message:

warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID db42a60e
public key not available for anaconda-help-10.1.0-1.noarch.rpm
Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora

The GPG key at file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora (0x4F2A6FD2)
is already installed but is not the correct key for this package.
Check that this is the correct key for the "Fedora Core 4 - i386 - Base" repository.
Comment 1 Kenneth Porter 2005-09-09 07:15:27 EDT
Workaround is to temporarily set gpgcheck=0 in /etc/yum.repos.d/fedora.repo.
Comment 2 Paul Nasrat 2005-09-09 07:41:05 EDT
Due to the way the tree inheritence works some ( a very small number of noarch)
packages ended up not being rebuilt so are signed with the Red Hat key

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY

Bill, I'm pretty sure something like repoclosure could pick this up pre ship to
prevent this in FC5
Comment 3 Bill Nottingham 2005-09-09 14:52:42 EDT
Repoclosure can check sigs?
Comment 4 Paul Nasrat 2005-09-09 15:03:35 EDT
If it can't atm it shouldn't be too painful
Comment 5 Bill Nottingham 2005-09-09 15:24:55 EDT
Hm, I don't see the signature in the repodata anywhere. Perhaps I'm looking at
the wrong place?
Comment 6 Paul Nasrat 2005-09-09 15:44:49 EDT
No we'd have to download the headers and run a test transaction but it's not a
hard script to write with the yum api. I'll see if I can knock something up over
the weekend.
Comment 7 Bill Nottingham 2005-09-09 15:47:54 EDT
Why not embrace and extend the metadata format with the key the package is
signed with?
Comment 8 Seth Vidal 2005-09-12 19:44:16 EDT
What good would it do to put the key in the metadata?

Just so you can check the repo based on the metadata? why not make repo
maintainers take some care in creating their repositories?
Comment 9 Bill Nottingham 2005-09-12 23:52:50 EDT
Having it in the metadata makes it easy to check at the same time that you're
checking a repo for dependency closure, and other sanity checks.
Comment 10 Bill Nottingham 2005-10-31 15:07:48 EST
*** Bug 162302 has been marked as a duplicate of this bug. ***
Comment 11 Bill Nottingham 2008-05-16 16:57:28 EDT
Closing, I don't think we're going to do this.

Note You need to log in before you can comment on or make changes to this bug.