Bug 55835 - rpm check signature fails first time it is run
rpm check signature fails first time it is run
Product: Red Hat Linux
Classification: Retired
Component: rpm (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
Depends On:
  Show dependency treegraph
Reported: 2001-11-07 10:21 EST by Jeremy Sanders
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-11-07 12:36:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jeremy Sanders 2001-11-07 10:21:57 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011012

Description of problem:
If there is no ~/.gnupg directory, rpm --checksig gives an incorrect result
the first time it is run. e.g.

[root@xpc1 RPMS]# rm -rf ~/.gnupg/
[root@xpc1 RPMS]# rpm --checksig LPRng-3.7.4-28.i386.rpm
LPRng-3.7.4-28.i386.rpm: md5 GPG NOT OK
[root@xpc1 RPMS]# rpm --checksig LPRng-3.7.4-28.i386.rpm
LPRng-3.7.4-28.i386.rpm: md5 (GPG) OK (MISSING KEYS: GPG#DB42A60E) 
This is confusing, as it appears the rpm has changed contents.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Remove .gnupg directory
2. Use rpm --checksig on rpm from RedHat distribution.

Additional info:
Comment 1 Michael Schwendt 2001-11-07 12:36:24 EST
Add a third step:

3. ll ~/.gnupg

You'll discover that gnupg has created a default ~/.gnupg which contains a
default options file and an empty public and secure key-ring.
Comment 2 Jeff Johnson 2001-11-09 15:11:04 EST
You also need to use gpg to import whatever public keys
you wish to use for package verification.
Comment 3 Jeremy Sanders 2001-11-09 15:54:25 EST
I still think this a bug. I'm aware you need to import keys, but the initial
message (which you'd get after a fresh install) is:

LPRng-3.7.4-28.i386.rpm: md5 GPG NOT OK

Which implies there's something wrong with the package (it doesn't even say the
md5 is okay), even though it just means that gpg hasn't been run before. rpm
should give the same message on different invocations.
Comment 4 Jeff Johnson 2001-11-09 16:43:22 EST
I think it's a bug too, fix well underway on
the development branch of rpm. Hint: signatures
are always verified when package is read, user
doesn't get a choice.

Note You need to log in before you can comment on or make changes to this bug.