Red Hat Bugzilla – Bug 493777
rpm --import gets the key id wrong
Last modified: 2010-02-23 07:24:14 EST
Description of problem:
rpm --import determines an erroneous key id for a given GPG key, resulting in an inability to find that key at a future time.
This is a regression in behavior over RHEL 5.2.
Version-Release number of selected component (if applicable):
100% of the time.
Steps to Reproduce:
1. Import the key given in "Additional Info" using "rpm --import" (which comes from http://packages.vmware.com/tools/VMWARE-PACKAGING-GPG-KEY.pub).
rpm creates a new package header, "gpg-pubkey-a6406560-4803fe57".
(You can verify that the key id portion is incorrect by examining the key with gpg.)
rpm creates the package header "gpg-pubkey-66fd4949-4803fe57".
(This is what it does in previous versions of Red Hat).
The only code change I can find in rpm itself would be *nss.patch. Otherwise, it could be a change to a library rather than rpm itself...
Here's the key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.7 (GNU/Linux)
-----END PGP PUBLIC KEY BLOCK-----
I've confirmed that this behavior does not occur in 4.4.2-48 on RHEL 5.3.
Easily verified, this is indeed a regression. Thanks for reporting.
Any hints for workarounds? Right now we (VMware) are recommending people disable signature checks... we've already issued a knowledge base article for that, but obviously it'd be better to fix the package registry so the proper key id may be found. Is there a (user-friendly) means to "rename" the "package", without going into what amounts (especially to an end-user) to risky, deep voodoo (such as directly editing a file, in a fashion that has the potential to royally screw up their system if they're not careful)? Thanks.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.