Red Hat Bugzilla – Bug 171530
security: Maelstrom RPM unsigned, DoS's up2date
Last modified: 2007-11-30 17:11:15 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Description of problem:
The current mirrored copy of the Maelstrom RPM for i386 for Fedora Core 4 is unsigned, and thus up2date bombs out when attempting to update this file.
This DoS's the up2date system until Maelstrom is removed.
Version-Release number of selected component (if applicable):
Maelstrom (standard version as shipped on FC4 DVD)
Steps to Reproduce:
You may not have the Fedora Extras GPG key installed. If this is the case,
up2date will falsely claim that the file is unsigned, when the only problem is
that the corresponding key is not installed. To make sure, go into
/etc/pki/rpm-gpg and install the GPG key (as root) with
rpm --install RPM-GPG-KEY-fedora-extras
I have Maelstrom installed and didn't have this problem when installing. In
addition I just verified that
is properly signed with key 1ac70ce6.
I tried to install the key (no idea why on earth the Fedora Core 4 upgrade
process doesn't install it, but regardless) and the install attempt hangs for no
[root@phoebe rpm-gpg]# rpm --install RPM-GPG-KEY-fedora-extras
Just figured it out - it was rpm --import instead of --install.
Closing this bug, as the problem is with the FC4 setup and not Maelstrom.