Red Hat Bugzilla – Bug 28328
up2date complains that the public key is missing
Last modified: 2015-01-07 18:43:39 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22 i686; en-US; m18) Gecko/20010205 The up2date program gives an error when run from the command like stating that the RedHat, Inc. gpg public keyring is not on my public keyring. Reproducible: Always Steps to Reproduce: 1.Install RedHat without X 2.log in, run up2date at the command line 3.observe message Actual Results: up2date refused to download, or even try to download, any packages. Expected Results: instructions should have been given on adding the public key to my keyring, and the option to download packages without checking signatures should have been provided.
This should be corrected in the most recent versions of the client. They now include information about how to add the Red Hat package signing key to your gnupg keyring.
Assigned QA to jturner
that said, it is not really a bug. You need to either turn off GPG signature checking in up2date-config, or install the GPG key.
When up2date instruct user to import the RH's public key, there should be at least a sentence about verifying the fingerprint of the public key. Without veryfiing the key is digital signing of the packages equal to trust to any potential hacker (cracker) in my system and has zero effectivity. The better way is to obtain the key and the fingerprint from the original media, phone, original manual etc (ofcourse). This shoul be mentioned by up2date IMHO.
up2date imports the key itself now. It does it via https:// so in effect you are trusting the https key tied to the domain and signed by the cert agency to authenticate the RH key. That doesn't seem too unreasonable