With rpm-4.1-0.34 "rpm --import" will happily create duplicate entries if importing a keyfile when the key is already there. It should: - complain - skip the key, unless --force is used.
*** Bug 68306 has been marked as a duplicate of this bug. ***
I disagree, what's there is adequate for now, as it's gonna take a bit to stabilize a new signature for rpm packages. What's really needed is to eliminate --import entirely, and distribute pubkeys in packages. For that to happen, rpm needs to be taught the web-of-trust, following signed keys until a "ultimate trust" bit is encountered.
Web of trust is good, but it has to be rooted somewhere. Rooting @redhat is good, but insufficient - there still needs to be a method for importing locally-trusted keys. Also, some people might want to have "partially trusted" keys as well...
Yup, the rooting is at a key, possibly their own, that a user claims ultimate trust in.
Still there with rpm-4.2.1-0.30 in Fedora Core. This have been deferred for over a year and the --import is still there and has no sign of going away. Reopening.
In case anyone has arrived at this bug looking for a working solution to remove the duplicate keys: # rpm --allmatches -e gpg-pubkey-duplicate-keyname This will remove ALL instances of the duplicate key, then you may go back and add one copy of the key again. See this post for more details: http://www.redhat.com/archives/fedora-devel-list/2004-March/msg00224.html
Just adding my two bits to this bug, making sure people still know about it. At the very least rpm shouldn't try to import the key again. Having multiple entries for the same key is pointless. I'm currently using the following scriptlet to detect presence of the key and not import it if it exists: keyid=$(gpg $file 2> /dev/null | head -n 1 | \ sed -e 's/.\+\([0-9A-F]\{8\}\).\+/\1/g' | \ tr [A-F] [a-f]) rpm -q gpg-pubkey-$keyid &> /dev/null || \ rpm --import $file
Fedora Core 1 is maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thanks! NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy project. After Fedora Core 6 Test 2 is released (currently scheduled for July 26th), there will be no more security updates for FC1. Please use these next two weeks to upgrade any remaining FC1 systems to a current release.
The rpm-4.3.3-13_nonptl package in RHEL WS 4 still has this problem and so is the rpm-4.3.2-21 in FC3. I can not test FC4-5 ATM, but my guess is that it also exists there.
Please test on FC5 or newer when you get the chance -- FC3 is also under the auspices of Fedora Legacy, and FC4 will be in a few weeks. Thanks!
Problem is still there in FC5. The issue is that rpm does not separate "trust" from "existence" of pubkeys. Hence, rpm does exactly what its told to do by the end-user, including install multiple copies of pubkeys if the user requests.
User pnasrat's account has been closed
Reassigning to owner after bugzilla made a mess, sorry about the noise...
Since Fedora Core 5 is not supported anymore, can anyone reproduce this bug on Fedora 8?
The behavior hasn't changed. Moving to devel to avoid "timeouting"...
Based on the date this bug was created, it appears to have been reported against rawhide during the development of a Fedora release that is no longer maintained. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained. If this bug remains in NEEDINFO thirty (30) days from now, we will automatically close it. If you can reproduce this bug in a maintained Fedora version (7, 8, or rawhide), please change this bug to the respective version and change the status to ASSIGNED. (If you're unable to change the bug's version or status, add a comment to the bug and someone will change it for you.) Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again.
Removing NEEDINFO per comment #15 posted 2007-11-13 by the current bug assignee: > The behavior hasn't changed. Moving to devel to avoid "timeouting"...
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
rpm-4.5.90-0.git8461.1 in rawhide no longer imports duplicate keys.