Bug 28328 - up2date complains that the public key is missing
Summary: up2date complains that the public key is missing
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: up2date (Show other bugs)
(Show other bugs)
Version: 7.0
Hardware: i386 Linux
Target Milestone: ---
Assignee: Adrian Likins
QA Contact: Jay Turner
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-02-19 17:36 UTC by Gregory Leblanc
Modified: 2015-01-07 23:43 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-12-18 15:29:28 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Gregory Leblanc 2001-02-19 17:36:23 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22 i686; en-US; m18)

The up2date program gives an error when run from the command like stating
that the RedHat, Inc. gpg public keyring is not on my public keyring.

Reproducible: Always
Steps to Reproduce:
1.Install RedHat without X
2.log in, run up2date at the command line
3.observe message

Actual Results:  up2date refused to download, or even try to download, any

Expected Results:  instructions should have been given on adding the public
key to my keyring, and the option to download packages without checking
signatures should have been provided.

Comment 1 Adrian Likins 2001-02-19 18:15:41 UTC
This should be corrected in the most recent versions of the client.
They now include information about how to add the Red Hat package
signing key to your gnupg keyring.

Comment 2 Cristian Gafton 2001-02-20 01:33:54 UTC
Assigned QA to jturner

Comment 3 Preston Brown 2001-02-20 17:31:17 UTC
that said, it is not really a bug.  You need to either turn off GPG signature
checking in up2date-config, or install the GPG key.

Comment 4 Milan Kerslager 2001-05-11 21:20:41 UTC
When up2date instruct user to import the RH's public key, there should be at
least a sentence about verifying the fingerprint of the public key. Without
veryfiing the key is digital signing of the packages equal to trust to any
potential hacker (cracker) in my system and has zero effectivity.

The better way is to obtain the key and the fingerprint from the original media,
phone, original manual etc (ofcourse). This shoul be mentioned by up2date IMHO.

Comment 5 Alan Cox 2002-12-18 15:29:28 UTC
up2date imports the key itself now. It does it via https:// so in effect you are
trusting the https key tied to the domain and signed by the cert agency to
authenticate the RH key. That doesn't seem too unreasonable

Note You need to log in before you can comment on or make changes to this bug.