Red Hat Bugzilla – Bug 169810
crontabs-1.10-7 is mis-signed NOKEY
Last modified: 2016-09-19 22:36:43 EDT
Description of problem: crontabs-1.10-7 is mis-signed NOKEY Version-Release number of selected component (if applicable): crontabs-1.10-7 How reproducible: always Steps to Reproduce: 1.rpm -e crontabs 2.yum install crontabs 3.profit Actual results: Downloading Packages: (1/1): crontabs-1.10-7.no 100% |=========================| 5.0 kB 00:00 warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID db42a60e Public key for crontabs-1.10-7.noarch.rpm is not installed Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora GPG key at file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora (0x4F2A6FD2) is already installed The GPG keys listed for the "Fedora Core 4 - i386 - Base" repository are already installed but they are not correct for this package. Check that the correct key URLs are configured for this repository. Expected results: It should install without borking. Additional info:
Yes, it appears the crontabs package somehow escaped being signed, or was signed with the wrong key (the redhat key probably changed since this package was modified). All our packages are built without signing and are then signed when pushed to the repository mirrors. Somehow crontabs was not signed with the current key: # lftp download.fedora.redhat.com:/pub/fedora/linux/core/4/i386/os/Fedora/RPMS> get crontabs-1.10-7.noarch.rpm 5121 bytes transferred # rpm -qi gpg-pubkey-4f2a6fd2-3f9d9d3b Name : gpg-pubkey ... # rpm -qp crontabs-1.10-7.noarch.rpm --checksig warning: crontabs-1.10-7.noarch.rpm: Header V3 DSA signature: NOKEY, key ID db42a60e crontabs-1.10-7 I agree that the crontabs RPM would be amongst the #1 targets to spoof for malicious hackers wanting to get their code running on other people's systems, and ought to be signed. I've CC'ed those who are responsible for package signing on this bug report.
a) this isn't an update package, it's a package from the base release b) it's signed with the Red Hat security@redhat.com key *** This bug has been marked as a duplicate of 166030 ***
once you rpm -e the package, you can no longer yum install it. not a bug?
You can import the key from /usr/share/rhn/RPM-GPG-KEY or /usr/share/doc/fedora-release-4/RPM-GPG-KEY
yum (or is it rpm?) usually tries to install missing keys when it doesn't find them. should /usr/share/doc/fedora-release-4/RPM-GPG-KEY be added to the list of auto-install keys? (and why isnt the key installed by default?)
all the packages in base distro should be signed by the same key the reason they were not is b/c it was a mistake. and there's not much we can do about it now.
so this bugzilla should serve as a warning/reminder for FC5