Bug 55835 - rpm check signature fails first time it is run
Summary: rpm check signature fails first time it is run
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rpm (Show other bugs)
(Show other bugs)
Version: 7.2
Hardware: i386 Linux
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2001-11-07 15:21 UTC by Jeremy Sanders
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-11-07 17:36:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jeremy Sanders 2001-11-07 15:21:57 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011012

Description of problem:
If there is no ~/.gnupg directory, rpm --checksig gives an incorrect result
the first time it is run. e.g.

[root@xpc1 RPMS]# rm -rf ~/.gnupg/
[root@xpc1 RPMS]# rpm --checksig LPRng-3.7.4-28.i386.rpm
LPRng-3.7.4-28.i386.rpm: md5 GPG NOT OK
[root@xpc1 RPMS]# rpm --checksig LPRng-3.7.4-28.i386.rpm
LPRng-3.7.4-28.i386.rpm: md5 (GPG) OK (MISSING KEYS: GPG#DB42A60E) 
This is confusing, as it appears the rpm has changed contents.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Remove .gnupg directory
2. Use rpm --checksig on rpm from RedHat distribution.

Additional info:

Comment 1 Michael Schwendt 2001-11-07 17:36:24 UTC
Add a third step:

3. ll ~/.gnupg

You'll discover that gnupg has created a default ~/.gnupg which contains a
default options file and an empty public and secure key-ring.

Comment 2 Jeff Johnson 2001-11-09 20:11:04 UTC
You also need to use gpg to import whatever public keys
you wish to use for package verification.

Comment 3 Jeremy Sanders 2001-11-09 20:54:25 UTC
I still think this a bug. I'm aware you need to import keys, but the initial
message (which you'd get after a fresh install) is:

LPRng-3.7.4-28.i386.rpm: md5 GPG NOT OK

Which implies there's something wrong with the package (it doesn't even say the
md5 is okay), even though it just means that gpg hasn't been run before. rpm
should give the same message on different invocations.

Comment 4 Jeff Johnson 2001-11-09 21:43:22 UTC
I think it's a bug too, fix well underway on
the development branch of rpm. Hint: signatures
are always verified when package is read, user
doesn't get a choice.

Note You need to log in before you can comment on or make changes to this bug.