Bug 3139 - rpm-3.0.1-12.5.2.i386.rpm corrupt?
Summary: rpm-3.0.1-12.5.2.i386.rpm corrupt?
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rpm
Version: 5.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-05-29 11:31 UTC by youngej
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 1999-05-29 18:15:51 UTC
Embargoed:

Attachments (Terms of Use)

Description youngej 1999-05-29 11:31:19 UTC 
$ rpm -K --nopgp rpm-3.0.1-12.5.2.i386.rpm
rpm-3.0.1-12.5.2.i386.rpm: size md5 GPG NOT OK
                                        ^^^^^^
                                        ||||||
This doesn't look right to me.  My currently
installed rpm program is:
$ rpm -q rpm
rpm-3.0-5.2

I have downloaded this package from several
sites, the downloads always cmp, and always
give these results.

Is this a bug or am I missing something?
Comment 1 Jeff Johnson 1999-05-29 13:51:59 UTC 
I signed the rpm-3.0.1-* with gpg as well as pgp2.6.3. If pgp
verifies, then the package is OK. AFAIK this is the first set
of packages ever to be signed with gpg.

As for gpg, I used gnupg-0.9.7 which is probably newer than the
version that you are using. Could you verify whether the problem
persists if you upgrade to gnupg-0.9.7? Thanks
Comment 2 Jeff Johnson 1999-05-29 13:52:59 UTC 
I signed the rpm-3.0.1-* with gpg as well as pgp2.6.3. If pgp
verifies, then the package is OK. AFAIK this is the first set
of packages ever to be signed with gpg.

As for gpg, I used gnupg-0.9.7 which is probably newer than the
version that you are using. Could you verify whether the problem
persists if you upgrade to gnupg-0.9.7? Thanks
Comment 3 youngej 1999-05-29 15:30:59 UTC 
What I really want to do is test a .rpm file to see if
it has survived download intact.  I don't understand
how to use the PGP or GPG checking.  So I issued a command
which would check size and MD5 only.  The --nopgp is
supposed to cut off sig checking.  It apparently didn't.
Perhaps --nopgp should really be --nosigchk or you should
add --nogpg?  In the mean time I'm trying to figure out
how to do a sig check...
Comment 4 Jeff Johnson 1999-05-29 15:44:59 UTC 
Ah, then you need to add "--nogpg" to the command line.
You may use popt to implement --nosigchk. Put the following
in /etc/popt
	rpm	alias --nosigchk 	--nopgp --nogpg

If you want to actually check signatures, then install pgp2.6.3
from ftp.replay.com.
Comment 5 youngej 1999-05-29 18:06:59 UTC 
I have downloaded and installed pgp-2.6.3usa3, cmp'd both rufus and
replay downloads, they were the same, so pgp shoud be good.

I added the key in /usr/doc/rpm-3.0.1/RPM-PGP-KEY

I get the following:
# rpm -K rpm-3.0.1-12.5.2.i386.rpm
rpm-3.0.1-12.5.2.i386.rpm: size (PGP) md5 (GPG) OK (MISSING KEYS:
PGP#73B83325 GPG#1759C6EC)

Is rpm itself signed under yet another key (not RedHat's)?
I've been RTFM'ing for the last 2 hours on where to get additional
keys (PGP and GPG).  Any hints here?

Other RedHat packages, like netscape-*.rpm updates, do check out OK
for RedHat's PGP.

I would be glad to test the GPG on rpm-3.0.1-12.5.2.i386.rpm and
report here if I could only figure out where to get keys...

BTW, thanks for the help.
Comment 6 Jeff Johnson 1999-05-29 18:15:59 UTC 
Yes the rpm rpm was signed by me, not by Red Hat. Send me mail
(jbj) if you wish my keys.
Note You need to log in before you can comment on or make changes to this bug.