More GPG signature madness
Sean Earp
smearp at mac.com
Fri Apr 16 04:53:27 UTC 2004
This tends to indicate an incomplete or corrupt download, rather than
incorrect keys (assuming you did the initial GPG key import...)
#rpm --import /usr/share/doc/fedora-release-1.91/RPM-GPG-KEY*
There are 32 bug reports that I was able to find regarding this problem
at:
<https://bugzilla.redhat.com/bugzilla/buglist.cgi?
bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REO
PENED&bug_status=NEEDINFO&bug_status=MODIFIED&bug_status=CLOSED&field0
-0-0=product&type0-0-0=substring&value0-0-0=up2date&field0-0
-1=component&type0-0-1=substring&value0-0-1=up2date&field0-0
-2=short_desc&type0-0-2=substring&value0-0-2=up2date&field0-0
-3=status_whiteboard&type0-0-3=substring&value0-0-3=up2date&field1-0
-0=product&type1-0-0=substring&value1-0-0=gpg&field1-0
-1=component&type1-0-1=substring&value1-0-1=gpg&field1-0
-2=short_desc&type1-0-2=substring&value1-0-2=gpg&field1-0
-3=status_whiteboard&type1-0-3=substring&value1-0-3=gpg>
(how's THAT for a long URL).
From bug 111601, Andre Robatino had the following to say:
"This bug has been around forever. I complained about it last summer
during the testing for Fedora 1 and was told that not being able to
resume downloads was a well-known limitation, and that there was a fix
in the works but it wasn't stable yet. Being able to use a mirror is
_not_ a fix, it only makes the bug less likely to manifest. A look at
bugzilla, fedora-list or fedoraforum will show countless duplicate
reports of this bug by people who don't know what's going on due to the
misleading error message. Short of an actual fix, it would help
greatly if the error message was supplemented by something like "This
error is probably caused by a server disconnect and up2date's present
inability to resume downloads. This bug is much less likely to
manifest if up2date is directed to a mirror instead of the main
server." This can be added trivially, and would eliminate the
countless duplicate bug reports, which are typically ignored. On the
other hand, this should be easy to fix. I know that up2date saves
partial downloads in its download directory, and that if a complete
download is in this directory, up2date will verify the GPG signature
and not download it again. All it has to do is instead of first
checking the GPG, it should check the file size, and if it's too small,
assume it's a partial download and resume. The signature should
_never_ be checked until the file size is correct. I can't imagine
this would take more than a dozen or so lines of code to fix."
Long story short, up2date is doing it's GPG check on a file that has
not fully downloaded or is corrupted (due to network congestion or
whatnot), and the GPG checksum (of course) does not add up. Just keep
trying (I have never had a problem with the DUKE mirror) and once a
good copy is downloaded, you should be fine (you can delete the
offending corrupted package from /var/spool/up2date before trying
again, just to make sure a good copy of the package is downloaded).
As mentioned in (several) of the above bug reports, using a mirror with
less customers (or more bandwidth) will make recurrence of this bug
MUCH less likely to occur. Check out:
http://fedora.artoo.net/faq/#SlowUpdateServers
or
http://www.fedoranews.org/tchung/howto/2004-01-15-yum-speed.shtml
Hope this helps...
-Sean
On Apr 15, 2004, at 8:04 AM, Mark Haney wrote:
> I'm beginning to see those crazy 'bad GPG signature' errors when I run
> up2date again. I've not had the problem in a couple of weeks, is
> anyone else having that problem as well? Do I need to update my keys
> again? Is this GPG-key issue going to settle down after a while or
> will this be a constant thing?
GPG public key: <http://homepage.mac.com/smearp/seanpgp.asc>
More information about the fedora-test-list
mailing list