Bug 68290 - rpm --import should complain if the key is already there (and skip?)
rpm --import should complain if the key is already there (and skip?)
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Panu Matilainen
: 68306 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2002-07-08 17:25 EDT by Aleksey Nogin
Modified: 2008-08-08 08:26 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-08-08 08:26:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Aleksey Nogin 2002-07-08 17:25:05 EDT
With rpm-4.1-0.34 "rpm --import" will happily create duplicate entries if
importing a keyfile when the key is already there. It should:
- complain
- skip the key, unless --force is used.
Comment 1 Aleksey Nogin 2002-07-08 20:56:10 EDT
*** Bug 68306 has been marked as a duplicate of this bug. ***
Comment 2 Jeff Johnson 2002-07-09 10:12:08 EDT
I disagree, what's there is adequate for now,
as it's gonna take a bit to stabilize a new
signature for rpm packages.

What's really needed is to eliminate --import
entirely, and distribute pubkeys in packages.

For that to happen, rpm needs to be taught the
web-of-trust, following signed keys until
a "ultimate trust" bit is encountered.

Comment 3 Aleksey Nogin 2002-07-09 16:44:46 EDT
Web of trust is good, but it has to be rooted somewhere. Rooting @redhat is
good, but insufficient - there still needs to be a method for importing
locally-trusted keys. Also, some people might want to have "partially trusted"
keys as well...
Comment 4 Jeff Johnson 2002-07-09 16:47:44 EDT
Yup, the rooting is at a key, possibly their
own, that a user claims ultimate trust in.
Comment 5 Aleksey Nogin 2003-11-20 18:07:34 EST
Still there with rpm-4.2.1-0.30 in Fedora Core. This have been
deferred for over a year and the --import is still there and has no
sign of going away. Reopening.
Comment 6 David D. Kilzer 2004-08-25 15:43:38 EDT
In case anyone has arrived at this bug looking for a working solution
to remove the duplicate keys:

# rpm --allmatches -e gpg-pubkey-duplicate-keyname

This will remove ALL instances of the duplicate key, then you may go
back and add one copy of the key again.

See this post for more details:

Comment 7 Ignacio Vazquez-Abrams 2005-02-25 15:54:50 EST
Just adding my two bits to this bug, making sure people still know about it.

At the very least rpm shouldn't try to import the key again. Having multiple
entries for the same key is pointless.

I'm currently using the following scriptlet to detect presence of the key and
not import it if it exists:

keyid=$(gpg $file 2> /dev/null | head -n 1 | \
  sed -e 's/.\+\([0-9A-F]\{8\}\).\+/\1/g' | \
  tr [A-F] [a-f])
rpm -q gpg-pubkey-$keyid &> /dev/null || \
  rpm --import $file
Comment 8 Matthew Miller 2006-07-11 13:20:25 EDT
Fedora Core 1 is maintained by the Fedora Legacy project for security updates
only. If this problem is a security issue, please reopen and reassign to the
Fedora Legacy product. If it is not a security issue and hasn't been resolved in
the current FC5 updates or in the FC6 test release, reopen and change the
version to match.


NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy
project. After Fedora Core 6 Test 2 is released (currently scheduled for July
26th), there will be no more security updates for FC1. Please use these next two
weeks to upgrade any remaining FC1 systems to a current release.

Comment 9 Aleksey Nogin 2006-07-11 18:00:51 EDT
The rpm-4.3.3-13_nonptl package in RHEL WS 4 still has this problem and so is
the rpm-4.3.2-21 in FC3. I can not test FC4-5 ATM, but my guess is that it also
exists there.
Comment 10 Matthew Miller 2006-07-11 21:51:57 EDT
Please test on FC5 or newer when you get the chance -- FC3 is also under the
auspices of Fedora Legacy, and FC4 will be in a few weeks.

Comment 11 Jeff Johnson 2006-08-05 04:54:35 EDT
Problem is still there in FC5.

The issue is that rpm does not separate "trust" from "existence"
of pubkeys.

Hence, rpm does exactly what its told to do by the end-user, including
install multiple copies of pubkeys if the user requests.
Comment 12 Red Hat Bugzilla 2007-08-21 01:16:58 EDT
User pnasrat@redhat.com's account has been closed
Comment 13 Panu Matilainen 2007-08-22 02:29:45 EDT
Reassigning to owner after bugzilla made a mess, sorry about the noise...
Comment 14 petrosyan 2007-11-12 17:01:04 EST
Since Fedora Core 5 is not supported anymore, can anyone reproduce this bug on
Fedora 8?
Comment 15 Panu Matilainen 2007-11-13 00:58:22 EST
The behavior hasn't changed. Moving to devel to avoid "timeouting"...
Comment 16 Bug Zapper 2008-04-03 11:25:23 EDT
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.

If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we're following is outlined here:

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 17 Aleksey Nogin 2008-04-03 11:57:09 EDT
Removing NEEDINFO per comment #15 posted 2007-11-13 by the current bug assignee:

> The behavior hasn't changed. Moving to devel to avoid "timeouting"...

Comment 18 Bug Zapper 2008-05-13 21:54:56 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 19 Panu Matilainen 2008-08-08 08:26:37 EDT
rpm-4.5.90-0.git8461.1 in rawhide no longer imports duplicate keys.

Note You need to log in before you can comment on or make changes to this bug.