Red Hat Bugzilla – Bug 167902
Corrupt gpg key in package
Last modified: 2014-03-16 22:55:51 EDT
Attempting to install anaconda-help with "yum install anaconda-help" (using a
local repository) results in the following error message:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID db42a60e
public key not available for anaconda-help-10.1.0-1.noarch.rpm
Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
The GPG key at file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora (0x4F2A6FD2)
is already installed but is not the correct key for this package.
Check that this is the correct key for the "Fedora Core 4 - i386 - Base" repository.
Workaround is to temporarily set gpgcheck=0 in /etc/yum.repos.d/fedora.repo.
Due to the way the tree inheritence works some ( a very small number of noarch)
packages ended up not being rebuilt so are signed with the Red Hat key
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY
Bill, I'm pretty sure something like repoclosure could pick this up pre ship to
prevent this in FC5
Repoclosure can check sigs?
If it can't atm it shouldn't be too painful
Hm, I don't see the signature in the repodata anywhere. Perhaps I'm looking at
the wrong place?
No we'd have to download the headers and run a test transaction but it's not a
hard script to write with the yum api. I'll see if I can knock something up over
Why not embrace and extend the metadata format with the key the package is
What good would it do to put the key in the metadata?
Just so you can check the repo based on the metadata? why not make repo
maintainers take some care in creating their repositories?
Having it in the metadata makes it easy to check at the same time that you're
checking a repo for dependency closure, and other sanity checks.
*** Bug 162302 has been marked as a duplicate of this bug. ***
Closing, I don't think we're going to do this.