yum GPG verify and package sigs...
Warren Togami
wtogami at redhat.com
Sat Jul 23 11:20:24 UTC 2005
I just noticed that using yum's default FC4 configuration, it is
seemingly impossible to install packages like docbook-utils which is
signed by a different GPG key than the default specified to that
repository in /etc/yum.repos.d/fedora.repo. I suppose this is partially
my fault because I'm the last person to touch that repo file, but it is
strange to me that I never noticed this problem until now.
I *like* that yum enforces this strictly, but are there any good reasons
why we should allow packages in a repo to be signed by two or more valid
keys rather than a single key?
Did we screw up by not resigning everything in base before pushing FC4,
or is this really a yum config problem?
Any ideas how we should fix this now? Should we resign the entire repo
and push that to mirrors?
Or maybe less radically update yum so the repo file allows both keys?
(Use this as a one-time kludge for FC4, and in the future make sure each
repo uses *one* key.)
Warren Togami
wtogami at redhat.com
Demonstration of docbook-utils install failing:
===============================================
Is this ok [y/N]: y
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID db42a60e
public key not available for docbook-utils-0.6.14-4.noarch.rpm
Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
The GPG key at file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora (0x4F2A6FD2)
is already installed but is not the correct key for this package.
Check that this is the correct key for the "Fedora Core 4 - i386 - Base"
repository.
Some other examples in FC4 base signed by the older key,
which seems to be packages built Sept 2004 and earlier.
========================================================
anaconda-help
autoconf
automake14
automake15
bitmap-fonts-cjk
caching-nameserver
crontabs
docbook-simple
docbook-slides
docbook-utils-100dpi
fonts-KOI8-R
fonts-KOI8-R-75dpi
ghostscript-fonts
man-pages-cs
Unscientific count of packages in FC4 base signed with this other key
=====================================================================
rpm -qpi *.rpm |grep 219180cddb42a60e |wc -l
35
More information about the Fedora-maintainers
mailing list