Unsigned package

Jesse Keating jkeating at redhat.com
Thu Jun 7 18:21:00 UTC 2007

On Thursday 07 June 2007 14:08:06 Jon Ciesla wrote:
> Trying to upgrade, yum complains:
> Package scons-0.97-2.fc7.noarch.rpm is not signed
> This is from my local mirror, but the one from two other official mirrors
> and d.f.r.c match it.
> rpm --checksig on all of these yields:
> scons-0.97-2.fc7.noarch.rpm: sha1 md5 OK
> Huh?
> Jon
> --
> novus ordo absurdum

A few unsigned packages leaked out in the tree due to some tools errors and 
oversight.  I have a new tree with signed packages and new repodata for the 
signed packages that I'll be uploading at some point today (once my day of 
meetings is over).  There is some impact on users.

Yum caches metadata (and packages) for a period of time (30 minutes).  So 
changing the package checksum without changing the NVR can have some impact:

With a warm cache, and no package in cache, it'll say your package doesn't 
match checksum.  With a warm cache and a already cached (unsigned) package, 
it'll say the package is unsigned.  Once cache expires, it Just Works(tm).  
This only effects the unsigned packages in the tree, all other operations on 
signed packages will be fine.

Jesse Keating
Release Engineer: Fedora
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20070607/538688ef/attachment.sig>

More information about the fedora-devel-list mailing list