Red Hat Bugzilla – Bug 200739
rpm --import of a keyfile with signatures results in bad gpg-pubkey database entry
Last modified: 2007-11-30 17:07:26 EST
+++ This bug was initially created as a clone of Bug #90952 +++ From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 Description of problem: Certain GPG public keys are not imported correctly by RPM. The resulting RPM database entries contain an incorrect version tag. Version-Release number of selected component (if applicable): rpm-4.2-0.69 How reproducible: Always Steps to Reproduce: 1. gpg --recv-keys 54A2ACF1 2. gpg --export -a 54A2ACF1 > key.txt 3. rpm --import key.txt 4. rpm -q gpg-pubkey --last | head -1 Why does it get named 55f3aa6f? # rpm -qi gpg-pubkey-55f3aa6f | gpg pub 1024D/54A2ACF1 --snip-- sub 2048g/4AD75982 2002-11-25 [expires: 2007-11-24] Actual Results: gpg-pubkey-55f3aa6f-3e30940d Thu 15 May 2003 20:40:10 CEST ASCII-armored key was parsed incorrectly, resulting in wrong key id. Expected Results: gpg-pubkey-54a2acf1-3e30940d Thu 15 May 2003 20:40:10 CEST Additional info: http://www.fedora.us/pipermail/fedora-devel/2003-May/001291.html https://www.redhat.com/mailman/private/rpm-list/2003-May/msg00279.html https://www.redhat.com/archives/redhat-list-de/2003-May/msg00113.html http://groups.google.de/groups?ie=UTF-8&oe=UTF-8&as_umsgid=69f31d11.0303081433.e105922%40posting.google.com&lr=&hl=de
$ rpm -q rpm rpm-4.3.3-13_nonptl $ gpg --keyserver pgp.mit.edu --recv-keys 30c9ecf8 gpg: key 30C9ECF8: "Fedora Project (Test Software) <rawhide@redhat.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $ gpg --export -a 30c9ecf8 > key7.txt $ gpg key7.txt pub 1024D/30C9ECF8 2003-10-27 Fedora Project (Test Software) <rawhide@redhat.com> $ sudo rpm --import key7.txt Password: $ rpm -q gpg-pubkey --last | head -1 gpg-pubkey-5a2457cf-429f0aee Sat 22 Jul 2006 10:40:40 AM EDT $ rpm -qi gpg-pubkey-5a2457cf-429f0aee > foo.txt $ gpg foo.txt pub 1024D/30C9ECF8 2003-10-27 Fedora Project (Test Software) <rawhide@redhat.com> So it's just the package name that's wrong, the data is still right though.
rpm-4.4.2 and later calculate the fingerprint correctly, rather than relying on field within the pubkey for the fingerprint. Either use gpg to edit the pubkey packets before importing, or upgrade/backport the changes in rpm-4.4.2.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0315.html