all I wanted was to update the kernel, not a crypto lesson ...

Nelson Strother xunilarodef at gmail.com
Wed Oct 3 12:25:14 UTC 2007 

On 9/29/07, Build System <buildsys at redhat.com> wrote:
> kernel-2.6.23-0.214.rc8.git2.fc8

  I hope one of you can help me save some time.  As suggested by a
kernel bug triager, I would like to install
  kernel-2.6.23-0.214.rc8.git2.fc8.i686.rpm
from the development repo on a Fedora7 system.

  The first attempt used yum, which ended with:

 warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, Key ID 30c9ecf8
 Pulic key for kernel-2.6.23-0.214.rc8.git2.fc8.i686.rpm is not installed
 #

Kernel updates have previously succeeded (via Pirut, aka Package Manager)
on this system, so I tried that tool with the result:

 Unable to verify kernel-2.6.23-0.214.rc8.git2.fc8.i686.rpm
 Public key for kernel-2.6.23-0.214.rc8.git2.fc8.i686.rpm is not installed

While the keys appear normal on this system, let's see if the problem
lies with the system configuration or this package:

 # rpm --checksig kernel-2.6.23-0.214.rc8.git2.fc8
 kernel-2.6.23-0.214.rc8.git2.fc8.i686.rpm: (SHA1) DSA sha1 md5 (GPG)
NOT OK (MISSING KEYS: GPG#30c9ecf8)
 # rpm -vv --checksig kernel-2.6.23-0.214.rc8.git2.fc8
 D: Expected size:     17235630 = lead(96)+sigs(344)+pad(0)+data(17235190)
 D:   Actual size:     17235630
 D: opening  db environment /var/lib/rpm/Packages joinenv
 D: opening  db index       /var/lib/rpm/Packages rdonly mode=0x0
 D: locked   db index       /var/lib/rpm/Packages
 D: opening  db index       /var/lib/rpm/Pubkeys rdonly mode=0x0
 kernel-2.6.23-0.214.rc8.git2.fc8.i686.rpm:
     Header V3 DSA signature: NOKEY, key ID 30c9ecf8
     Header SHA1 digest: OK (b566737ca514eb14e6e7a8b38ddd32f8a12ff85d)
     MD5 digest: OK (d527f1188ec11a6f20645948cbfbe86b)
     V3 DSA signature: NOKEY, key ID 30c9ecf8
 D: closed   db index       /var/lib/rpm/Pubkeys
 D: closed   db index       /var/lib/rpm/Packages
 D: closed   db environment /var/lib/rpm/Packages
 D: May free Score board((nil))
 #

I'm still puzzled, so I try these commands on another Fedora7 system
where kernel-2.6.23-0.214.rc8.git2.fc8 has been downloaded (but where
there is no motivation yet to actually install it):

 # rpm --checksig kernel-2.6.23-0.214.rc8.git2.fc8
 # rpm -vv --checksig kernel-2.6.23-0.214.rc8.git2.fc8
 D: May free Score board((nil))
 #

This would seem to confirm that the package is OK.  But I remain
puzzled by the differences in verbose output from rpm.  However,
both systems claim to be running the same version of rpm:

 # rpm -q --whatprovides rpm
 rpm-4.4.2.1-1.fc7
 #

(On what I would think to be the infinitesimal chance that a package
could have been corrupted during download and still pass SHA1 and MD5
checks, I copied the package from the system where the check succeeds
to the system where the GPG check fails, with no change in the result
from --checksig.  At least that much seems rational.)

Now, to compare keys, on the system where the check fails, I see:

 # rpm -qa | grep -i gpg
 gpgme-1.1.4-1.fc7
 libgpg-error-1.4-2
 gpg-pubkey-4f2a6fd2-3f9d9d3b
 gpg-pubkey-1cddbca9-3f9da14c
 gpg-pubkey-e418e3aa-3f439953
 #

while on the system where the check succeeds, I see merely:

 # rpm -qa | grep -i gpg
 libgpg-error-1.4-2
 gpg-pubkey-4f2a6fd2-3f9d9d3b
 #

but the directory listings of /etc/pki/rpm-gpg/ on the two systems
appear identical.

  Explanations and insights, please?  (All I wanted to do was test a new
kernel!)

Cheers,
Nelson

More information about the fedora-test-list mailing list