Red Hat Bugzilla – Bug 171530
security: Maelstrom RPM unsigned, DoS's up2date
Last modified: 2007-11-30 17:11:15 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 Description of problem: The current mirrored copy of the Maelstrom RPM for i386 for Fedora Core 4 is unsigned, and thus up2date bombs out when attempting to update this file. This DoS's the up2date system until Maelstrom is removed. Version-Release number of selected component (if applicable): Maelstrom (standard version as shipped on FC4 DVD) How reproducible: Always Steps to Reproduce: xxx Additional info:
You may not have the Fedora Extras GPG key installed. If this is the case, up2date will falsely claim that the file is unsigned, when the only problem is that the corresponding key is not installed. To make sure, go into /etc/pki/rpm-gpg and install the GPG key (as root) with rpm --install RPM-GPG-KEY-fedora-extras I have Maelstrom installed and didn't have this problem when installing. In addition I just verified that http://download.fedora.redhat.com/pub/fedora/linux/extras/4/i386/Maelstrom-3.0.6-8.i386.rpm is properly signed with key 1ac70ce6.
I tried to install the key (no idea why on earth the Fedora Core 4 upgrade process doesn't install it, but regardless) and the install attempt hangs for no apparent reason: [root@phoebe rpm-gpg]# rpm --install RPM-GPG-KEY-fedora-extras ^C [root@phoebe rpm-gpg]#
Just figured it out - it was rpm --import instead of --install. Closing this bug, as the problem is with the FC4 setup and not Maelstrom.