Red Hat Bugzilla – Bug 28328
up2date complains that the public key is missing
Last modified: 2015-01-07 18:43:39 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22 i686; en-US; m18)
The up2date program gives an error when run from the command like stating
that the RedHat, Inc. gpg public keyring is not on my public keyring.
Steps to Reproduce:
1.Install RedHat without X
2.log in, run up2date at the command line
Actual Results: up2date refused to download, or even try to download, any
Expected Results: instructions should have been given on adding the public
key to my keyring, and the option to download packages without checking
signatures should have been provided.
This should be corrected in the most recent versions of the client.
They now include information about how to add the Red Hat package
signing key to your gnupg keyring.
Assigned QA to jturner
that said, it is not really a bug. You need to either turn off GPG signature
checking in up2date-config, or install the GPG key.
When up2date instruct user to import the RH's public key, there should be at
least a sentence about verifying the fingerprint of the public key. Without
veryfiing the key is digital signing of the packages equal to trust to any
potential hacker (cracker) in my system and has zero effectivity.
The better way is to obtain the key and the fingerprint from the original media,
phone, original manual etc (ofcourse). This shoul be mentioned by up2date IMHO.
up2date imports the key itself now. It does it via https:// so in effect you are
trusting the https key tied to the domain and signed by the cert agency to
authenticate the RH key. That doesn't seem too unreasonable