Bug 169810 - crontabs-1.10-7 is mis-signed NOKEY
Summary: crontabs-1.10-7 is mis-signed NOKEY
Keywords:
Status: CLOSED DUPLICATE of bug 166030
Alias: None
Product: Fedora Infrastructure
Classification: Retired
Component: update system
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Luke Macken
QA Contact: Bill Nottingham
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-10-03 21:40 UTC by Dan Hollis
Modified: 2016-09-20 02:36 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-10-03 22:08:44 UTC
Embargoed:

Attachments (Terms of Use)

Description Dan Hollis 2005-10-03 21:40:23 UTC 
Description of problem:
crontabs-1.10-7 is mis-signed NOKEY

Version-Release number of selected component (if applicable):
crontabs-1.10-7

How reproducible:
always

Steps to Reproduce:
1.rpm -e crontabs
2.yum install crontabs
3.profit
  
Actual results:
Downloading Packages:
(1/1): crontabs-1.10-7.no 100% |=========================| 5.0 kB    00:00     
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID db42a60e
Public key for crontabs-1.10-7.noarch.rpm is not installed
Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
GPG key at file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora (0x4F2A6FD2) is already
installed


The GPG keys listed for the "Fedora Core 4 - i386 - Base" repository are already
installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

Expected results:
It should install without borking.

Additional info:
Comment 1 Jason Vas Dias 2005-10-03 22:05:22 UTC 
Yes, it appears the crontabs package somehow escaped being signed, or was 
signed with the wrong key (the redhat key probably changed since this package
was modified).

All our packages are built without signing and are then signed when pushed to
the repository mirrors. 

Somehow crontabs was not signed with the current key:
# lftp download.fedora.redhat.com:/pub/fedora/linux/core/4/i386/os/Fedora/RPMS>
get crontabs-1.10-7.noarch.rpm
5121 bytes transferred
# rpm -qi gpg-pubkey-4f2a6fd2-3f9d9d3b
Name        : gpg-pubkey ...
# rpm -qp crontabs-1.10-7.noarch.rpm --checksig
warning: crontabs-1.10-7.noarch.rpm: Header V3 DSA signature: NOKEY, key ID db42a60e
crontabs-1.10-7

I agree that the crontabs RPM would be amongst the #1 targets to spoof 
for malicious hackers wanting to get their code running on other people's
systems, and ought to be signed. 

I've CC'ed those who are responsible for package signing on this bug report.
Comment 3 Bill Nottingham 2005-10-03 22:08:44 UTC 
a) this isn't an update package, it's a package from the base release
b) it's signed with the Red Hat security key

*** This bug has been marked as a duplicate of 166030 ***
Comment 4 Dan Hollis 2005-10-03 22:13:48 UTC 
once you rpm -e the package, you can no longer yum install it.

not a bug?
Comment 5 Bill Nottingham 2005-10-03 22:19:18 UTC 
You can import the key from /usr/share/rhn/RPM-GPG-KEY or
/usr/share/doc/fedora-release-4/RPM-GPG-KEY
Comment 6 Dan Hollis 2005-10-03 22:37:11 UTC 
yum (or is it rpm?) usually tries to install missing keys when it doesn't find them.

should /usr/share/doc/fedora-release-4/RPM-GPG-KEY be added to the list of
auto-install keys? (and why isnt the key installed by default?)
Comment 7 Seth Vidal 2005-10-03 23:13:05 UTC 
all the packages in base distro should be signed by the same key

the reason they were not is b/c it was a mistake.

and there's not much we can do about it now.
Comment 8 Dan Hollis 2005-10-03 23:25:27 UTC 
so this bugzilla should serve as a warning/reminder for FC5
Note You need to log in before you can comment on or make changes to this bug.