This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 169810 - crontabs-1.10-7 is mis-signed NOKEY
crontabs-1.10-7 is mis-signed NOKEY
Status: CLOSED DUPLICATE of bug 166030
Product: Fedora Infrastructure
Classification: Retired
Component: update system (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Luke Macken
Bill Nottingham
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-03 17:40 EDT by Dan Hollis
Modified: 2016-09-19 22:36 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-03 18:08:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dan Hollis 2005-10-03 17:40:23 EDT
Description of problem:
crontabs-1.10-7 is mis-signed NOKEY

Version-Release number of selected component (if applicable):
crontabs-1.10-7

How reproducible:
always

Steps to Reproduce:
1.rpm -e crontabs
2.yum install crontabs
3.profit
  
Actual results:
Downloading Packages:
(1/1): crontabs-1.10-7.no 100% |=========================| 5.0 kB    00:00     
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID db42a60e
Public key for crontabs-1.10-7.noarch.rpm is not installed
Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
GPG key at file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora (0x4F2A6FD2) is already
installed


The GPG keys listed for the "Fedora Core 4 - i386 - Base" repository are already
installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

Expected results:
It should install without borking.

Additional info:
Comment 1 Jason Vas Dias 2005-10-03 18:05:22 EDT
Yes, it appears the crontabs package somehow escaped being signed, or was 
signed with the wrong key (the redhat key probably changed since this package
was modified).

All our packages are built without signing and are then signed when pushed to
the repository mirrors. 

Somehow crontabs was not signed with the current key:
# lftp download.fedora.redhat.com:/pub/fedora/linux/core/4/i386/os/Fedora/RPMS>
get crontabs-1.10-7.noarch.rpm
5121 bytes transferred
# rpm -qi gpg-pubkey-4f2a6fd2-3f9d9d3b
Name        : gpg-pubkey ...
# rpm -qp crontabs-1.10-7.noarch.rpm --checksig
warning: crontabs-1.10-7.noarch.rpm: Header V3 DSA signature: NOKEY, key ID db42a60e
crontabs-1.10-7

I agree that the crontabs RPM would be amongst the #1 targets to spoof 
for malicious hackers wanting to get their code running on other people's
systems, and ought to be signed. 

I've CC'ed those who are responsible for package signing on this bug report.
Comment 3 Bill Nottingham 2005-10-03 18:08:44 EDT
a) this isn't an update package, it's a package from the base release
b) it's signed with the Red Hat security@redhat.com key

*** This bug has been marked as a duplicate of 166030 ***
Comment 4 Dan Hollis 2005-10-03 18:13:48 EDT
once you rpm -e the package, you can no longer yum install it.

not a bug?
Comment 5 Bill Nottingham 2005-10-03 18:19:18 EDT
You can import the key from /usr/share/rhn/RPM-GPG-KEY or
/usr/share/doc/fedora-release-4/RPM-GPG-KEY
Comment 6 Dan Hollis 2005-10-03 18:37:11 EDT
yum (or is it rpm?) usually tries to install missing keys when it doesn't find them.

should /usr/share/doc/fedora-release-4/RPM-GPG-KEY be added to the list of
auto-install keys? (and why isnt the key installed by default?)
Comment 7 Seth Vidal 2005-10-03 19:13:05 EDT
all the packages in base distro should be signed by the same key

the reason they were not is b/c it was a mistake.

and there's not much we can do about it now.
Comment 8 Dan Hollis 2005-10-03 19:25:27 EDT
so this bugzilla should serve as a warning/reminder for FC5

Note You need to log in before you can comment on or make changes to this bug.