Attempting to install anaconda-help with "yum install anaconda-help" (using a local repository) results in the following error message: warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID db42a60e public key not available for anaconda-help-10.1.0-1.noarch.rpm Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora The GPG key at file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora (0x4F2A6FD2) is already installed but is not the correct key for this package. Check that this is the correct key for the "Fedora Core 4 - i386 - Base" repository.
Workaround is to temporarily set gpgcheck=0 in /etc/yum.repos.d/fedora.repo.
Due to the way the tree inheritence works some ( a very small number of noarch) packages ended up not being rebuilt so are signed with the Red Hat key rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY Bill, I'm pretty sure something like repoclosure could pick this up pre ship to prevent this in FC5
Repoclosure can check sigs?
If it can't atm it shouldn't be too painful
Hm, I don't see the signature in the repodata anywhere. Perhaps I'm looking at the wrong place?
No we'd have to download the headers and run a test transaction but it's not a hard script to write with the yum api. I'll see if I can knock something up over the weekend.
Why not embrace and extend the metadata format with the key the package is signed with?
What good would it do to put the key in the metadata? Just so you can check the repo based on the metadata? why not make repo maintainers take some care in creating their repositories?
Having it in the metadata makes it easy to check at the same time that you're checking a repo for dependency closure, and other sanity checks.
*** Bug 162302 has been marked as a duplicate of this bug. ***
Closing, I don't think we're going to do this.