Bug 462234 - pygpgme is signed with old key
Summary: pygpgme is signed with old key
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: pygpgme
Version: 8
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Toshio Ernie Kuratomi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-14 17:09 UTC by Kasper Dupont
Modified: 2008-09-15 04:30 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-09-15 04:30:40 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Kasper Dupont 2008-09-14 17:09:52 UTC 
Description of problem:
The only version of pygpgme that yum can download is signed with the old potentially compromised key.

Version-Release number of selected component (if applicable):
pygpgme-0.1-6.fc8.i386.rpm

How reproducible:
Always

Steps to Reproduce:
1. Update fedora-release
2. rpm -e gpg-pubkey-4f2a6fd2-3f9d9d3b
3. yum update
  
Actual results:
yum finds that some packages are signed with the old key and asks if I want to install it again.

Expected results:
yum would be able to find a version signed with the new key.

Additional info:
There were a few other packages with the same symptoms, but all the others existed in the DVD image I downloaded long before the compromise. pygpgme is the only package that yum depends on, which could not be found from any secure source.
Comment 1 Toshio Ernie Kuratomi 2008-09-15 04:30:40 UTC 
This sounds like a problem that rel-eng might need to fix or it might be that rel-eng has only resigned the updates repo so far, not the packages in the Everything repo.  You can ask on fedora-devel-list or open a ticket in their issue tracker:

https://fedorahosted.org/rel-eng

This is not a bug in the individual package and shouldn't be fixed by action here, though.
Note You need to log in before you can comment on or make changes to this bug.