Bug 28328 - up2date complains that the public key is missing
up2date complains that the public key is missing
Product: Red Hat Linux
Classification: Retired
Component: up2date (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Adrian Likins
Jay Turner
: Security
Depends On:
  Show dependency treegraph
Reported: 2001-02-19 12:36 EST by Gregory Leblanc
Modified: 2015-01-07 18:43 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-12-18 10:29:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Gregory Leblanc 2001-02-19 12:36:23 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22 i686; en-US; m18)

The up2date program gives an error when run from the command like stating
that the RedHat, Inc. gpg public keyring is not on my public keyring.

Reproducible: Always
Steps to Reproduce:
1.Install RedHat without X
2.log in, run up2date at the command line
3.observe message

Actual Results:  up2date refused to download, or even try to download, any

Expected Results:  instructions should have been given on adding the public
key to my keyring, and the option to download packages without checking
signatures should have been provided.
Comment 1 Adrian Likins 2001-02-19 13:15:41 EST
This should be corrected in the most recent versions of the client.
They now include information about how to add the Red Hat package
signing key to your gnupg keyring.
Comment 2 Cristian Gafton 2001-02-19 20:33:54 EST
Assigned QA to jturner
Comment 3 Preston Brown 2001-02-20 12:31:17 EST
that said, it is not really a bug.  You need to either turn off GPG signature
checking in up2date-config, or install the GPG key.
Comment 4 Milan Kerslager 2001-05-11 17:20:41 EDT
When up2date instruct user to import the RH's public key, there should be at
least a sentence about verifying the fingerprint of the public key. Without
veryfiing the key is digital signing of the packages equal to trust to any
potential hacker (cracker) in my system and has zero effectivity.

The better way is to obtain the key and the fingerprint from the original media,
phone, original manual etc (ofcourse). This shoul be mentioned by up2date IMHO.
Comment 5 Alan Cox 2002-12-18 10:29:28 EST
up2date imports the key itself now. It does it via https:// so in effect you are
trusting the https key tied to the domain and signed by the cert agency to
authenticate the RH key. That doesn't seem too unreasonable

Note You need to log in before you can comment on or make changes to this bug.