Bug 63301 - unknown signatures aren't warned
Summary: unknown signatures aren't warned
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: up2date   
(Show other bugs)
Version: 7.3
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Adrian Likins
QA Contact: Jay Turner
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-04-12 06:10 UTC by Chris Ricker
Modified: 2015-01-07 23:55 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-04-12 18:51:43 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2002:140 normal SHIPPED_LIVE Updated up2date and rhn_register packages available 2002-07-11 04:00:00 UTC
Red Hat Product Errata RHSA-2003:177 normal SHIPPED_LIVE : Updated up2date and rhn_register clients available 2003-05-27 04:00:00 UTC

Description Chris Ricker 2002-04-12 06:10:13 UTC
up2date appears to be ignoring GPG signatures which it can't understand.

When downloading packages which are unsiqned it warns.  However, when
downloading packages signed with a signature it doesn't recognize (such as the
beta RPMs signed with the beta key), it downloads and installs them without
generating any warnings.

Comment 1 Adrian Likins 2002-04-12 18:22:11 UTC
The beta gpg key should be on the new default keyring
(/etc/sysconfig/rhn/up2date-keyring.gpg), so the key
is known.

Comment 2 Chris Ricker 2002-04-12 18:27:21 UTC
It doesn't appear to be, at least judging by the failed checks seen from rpm
--checksig against the new packages

Comment 3 Adrian Likins 2002-04-12 18:51:37 UTC
rpm doesnt use the up2date keyring by default, so you will
need to add the key to roots keyring (or whatever keyring
you use to validate rpms with).

try `gpg --import /usr/share/rhn/BETA-RPM-GPG-KEY`
and then verifing the package...



Comment 4 Chris Ricker 2002-04-13 02:23:16 UTC
Ah, I was thinking rpm would already have the keys.  I'll close this then, since
everything works as it should after I add the keys to the user running rpm.

Comment 5 Bill Peck 2003-05-27 15:27:57 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-177.html



Note You need to log in before you can comment on or make changes to this bug.