Red Hat Bugzilla – Bug 3139
Last modified: 2008-05-01 11:37:50 EDT
$ rpm -K --nopgp rpm-3.0.1-12.5.2.i386.rpm
rpm-3.0.1-12.5.2.i386.rpm: size md5 GPG NOT OK
This doesn't look right to me. My currently
installed rpm program is:
$ rpm -q rpm
I have downloaded this package from several
sites, the downloads always cmp, and always
give these results.
Is this a bug or am I missing something?
I signed the rpm-3.0.1-* with gpg as well as pgp2.6.3. If pgp
verifies, then the package is OK. AFAIK this is the first set
of packages ever to be signed with gpg.
As for gpg, I used gnupg-0.9.7 which is probably newer than the
version that you are using. Could you verify whether the problem
persists if you upgrade to gnupg-0.9.7? Thanks
What I really want to do is test a .rpm file to see if
it has survived download intact. I don't understand
how to use the PGP or GPG checking. So I issued a command
which would check size and MD5 only. The --nopgp is
supposed to cut off sig checking. It apparently didn't.
Perhaps --nopgp should really be --nosigchk or you should
add --nogpg? In the mean time I'm trying to figure out
how to do a sig check...
Ah, then you need to add "--nogpg" to the command line.
You may use popt to implement --nosigchk. Put the following
rpm alias --nosigchk --nopgp --nogpg
If you want to actually check signatures, then install pgp2.6.3
I have downloaded and installed pgp-2.6.3usa3, cmp'd both rufus and
replay downloads, they were the same, so pgp shoud be good.
I added the key in /usr/doc/rpm-3.0.1/RPM-PGP-KEY
I get the following:
# rpm -K rpm-3.0.1-12.5.2.i386.rpm
rpm-3.0.1-12.5.2.i386.rpm: size (PGP) md5 (GPG) OK (MISSING KEYS:
Is rpm itself signed under yet another key (not RedHat's)?
I've been RTFM'ing for the last 2 hours on where to get additional
keys (PGP and GPG). Any hints here?
Other RedHat packages, like netscape-*.rpm updates, do check out OK
for RedHat's PGP.
I would be glad to test the GPG on rpm-3.0.1-12.5.2.i386.rpm and
report here if I could only figure out where to get keys...
BTW, thanks for the help.
Yes the rpm rpm was signed by me, not by Red Hat. Send me mail
(email@example.com) if you wish my keys.