More GPG signature madness

Sean Earp smearp at mac.com
Fri Apr 16 04:53:27 UTC 2004 

This tends to indicate an incomplete or corrupt download, rather than  
incorrect keys (assuming you did the initial GPG key import...)

#rpm --import /usr/share/doc/fedora-release-1.91/RPM-GPG-KEY*

There are 32 bug reports that I was able to find regarding this problem  
at:  
<https://bugzilla.redhat.com/bugzilla/buglist.cgi? 
bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REO 
PENED&bug_status=NEEDINFO&bug_status=MODIFIED&bug_status=CLOSED&field0 
-0-0=product&type0-0-0=substring&value0-0-0=up2date&field0-0 
-1=component&type0-0-1=substring&value0-0-1=up2date&field0-0 
-2=short_desc&type0-0-2=substring&value0-0-2=up2date&field0-0 
-3=status_whiteboard&type0-0-3=substring&value0-0-3=up2date&field1-0 
-0=product&type1-0-0=substring&value1-0-0=gpg&field1-0 
-1=component&type1-0-1=substring&value1-0-1=gpg&field1-0 
-2=short_desc&type1-0-2=substring&value1-0-2=gpg&field1-0 
-3=status_whiteboard&type1-0-3=substring&value1-0-3=gpg>

(how's THAT for a long URL).

 From bug 111601, Andre Robatino had the following to say:

  "This bug has been around forever.  I complained about it last summer  
during the testing for Fedora 1 and was told that not being able to  
resume downloads was a well-known limitation, and that there was a fix  
in the works but it wasn't stable yet.  Being able to use a mirror is  
_not_ a fix, it only makes the bug less likely to manifest.  A look at  
bugzilla, fedora-list or fedoraforum will show countless duplicate  
reports of this bug by people who don't know what's going on due to the  
misleading error message.  Short of an actual fix, it would help  
greatly if the error message was supplemented by something like "This  
error is probably caused by a server disconnect and up2date's present  
inability to resume downloads.  This bug is much less likely to  
manifest if up2date is directed to a mirror instead of the main  
server."  This can be added trivially, and would eliminate the  
countless duplicate bug reports, which are typically ignored.   On the  
other hand, this should be easy to fix.  I know that up2date saves  
partial downloads in its download directory, and that if a complete  
download is in this directory, up2date will verify the GPG signature  
and not download it again.  All it has to do is instead of first  
checking the GPG, it should check the file size, and if it's too small,  
assume it's a partial download and resume.  The signature should  
_never_ be checked until the file size is correct.  I can't imagine  
this would take more than a dozen or so lines of code to fix."

Long story short, up2date is doing it's GPG check on a file that has  
not fully downloaded or is corrupted (due to network congestion or  
whatnot), and the GPG checksum (of course) does not add up.  Just keep  
trying (I have never had a problem with the DUKE mirror) and once a  
good copy is downloaded, you should be fine (you can delete the  
offending corrupted package from /var/spool/up2date before trying  
again, just to make sure a good copy of the package is downloaded).

As mentioned in (several) of the above bug reports, using a mirror with  
less customers (or more bandwidth) will make recurrence of this bug  
MUCH less likely to occur.  Check out:

http://fedora.artoo.net/faq/#SlowUpdateServers
or
http://www.fedoranews.org/tchung/howto/2004-01-15-yum-speed.shtml

Hope this helps...

-Sean

On Apr 15, 2004, at 8:04 AM, Mark Haney wrote:

> I'm beginning to see those crazy 'bad GPG signature' errors when I run  
> up2date again.  I've not had the problem in a couple of weeks, is  
> anyone else having that problem as well?  Do I need to update my keys  
> again?  Is this GPG-key issue going to settle down after a while or  
> will this be a constant thing?

GPG public key:  <http://homepage.mac.com/smearp/seanpgp.asc>

More information about the fedora-test-list mailing list