Importing third-party developer's public keys
Ville Skyttä
ville.skytta at iki.fi
Fri Jul 23 06:02:11 UTC 2004
On Fri, 2004-07-23 at 08:01, Michel Salim wrote:
> I checked fedora-installdevkeys and it seems to just perform rpm
> --root ~/.fedorarpm --import PUBKEY; so after downloading the
> developer's public key (gpg --recv-keys 1b4259b3 ; gpg --export
> --armor 1b4259b3 > PUBKEY) I did just this.
>
> rpmlint'ing or fedora-rpmchecksig'ing the .src.rpm kept giving a
> MISSING KEY warning though. What did I do wrong?
rpmlint does not use ~/.fedorarpm, so MISSING KEY is expected with it.
fedora-rpmchecksig does use it, but in order to successfully import some
keys, after retrieving it from a keyserver one may have to "strip" extra
signatures (ie. all but the self-signature) and/or identities from it
due to a bug in rpm: https://bugzilla.redhat.com/90952
This is not specific to fedora-rpmchecksig BTW, but applies to rpm and
GPG keys in general. People have posted utilities for doing the key
stripping to bugzilla.fedora.us and elsewhere, maybe we should include
one of those in rpmdevtools.
More information about the fedora-devel-list
mailing list