RedHat updates and unknown GPG signature
Nigel Wade
nmw at ion.le.ac.uk
Fri Sep 8 10:53:12 UTC 2006
pierre_stephane.baton at alcatelaleniaspace.com wrote:
> https://www.redhat.com/security/team/key/
>
> Try to import the gpg key from the RHEL Official CDROM (should not be
> corrupted) using rpm --import
>
> The key should be in /usr/share/rhn/RPM-GPG-KEY too.
I've already got that. What I was looking for was an alternate key to match
these updated packages.
The strange thing is that if I download the individual RPMs from RHN, the GPG
signature is fine, and they install without any problem. If I use up2date the
signature is incorrect.
For example, if I attempt to update alsa-utils I get this message output on the
terminal:
"warning: rpmts_HdrFromFdno: V3 DSA signature: NOKEY, key ID 897da07a"
I take this to mean that the GPG key ID of the package which up2date is
downloading is "897da07a". However, if I download the RPM it shows:
#rpm --checksig -v alsa-utils-1.0.6-5.i386.rpm
alsa-utils-1.0.6-5.i386.rpm:
Header V3 DSA signature: OK, key ID db42a60e
Header SHA1 digest: OK (b4d8f5d43648ec683dcc8e025ae4b6c7d4eb375c)
MD5 digest: OK (86118c7a4017f9ee10415b03f6ca591b)
V3 DSA signature: OK, key ID db42a60e
i.e. the correct ID of "db42a60e"
So, what's happening here? Is up2date broken, is it downloading packages from
alternate locations which are incorrectly signed? up2date is setup to use
https://xmlrpc.rhn.redhat.com/XMLRPC as the download source.
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw at ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
More information about the redhat-list
mailing list