[packman] RPM problem with packet signatures (not zypper and repomd.xml!)

Joachim Schrod jschrod at acm.org
Tue Mar 15 14:51:39 CET 2011 

Hi,

I still have issues with the Packman signing key.

A few days ago, problems during zypper refresh were mentioned,
because repomd.xml.key was defect. This is *NOT* the issue I want
to bring up. But it might be the same issue that John Field brought
up at 2011-03-10.

I'm using openSUSE 11.1. But, AFAICS, that's not relevant; the same
error happens with downloaded 11.4 packages.

During update, RPM complains about packet signatures, e.g., for libavutil50:
  libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm: Header V4
  RSA/SHA1 signature: BAD, key ID 1abd1afb
And, sure enough:
  # rpm -Kv libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm 
  libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm:
    Header V4 RSA/SHA1 signature: BAD, key ID 1abd1afb
    Header SHA1 digest: OK (6a5712c079b4a93926cf4ea33caa4f46fc7aa3b4)
    V4 RSA/SHA1 signature: BAD, key ID 1abd1afb
    MD5 digest: OK (083f96f42f9495e4ab3a6ccfff73467a)

The RPM key database has two keys with that ID,
gpg-pubkey-1abd1afb-48d62ce0 expired at 2010-09-21;
gpg-pubkey-1abd1afb-4c97c60c expires at 2014-09-19.
I checked that removal of the older key has no effect.

I also rpm-imported the most current signing key that's available as
repomd.xml.key or gpg-pubkey-1abd1afb.asc at the repository top.
(After rpm-removing gpg-pubkey-1abd1afb-4c97c60c, of course.)
Still bad RPM signatures.

Then I thought "let's reinstall rpmkey-packman", maybe that brings a new
correct key. Well, installing the current version of that
package hoses the RPM key database:

  # rpm -qa 'gpg-pubkey*' | grep -i 1abd1afb
  error: rpmdbNextIterator: skipping h#    5324 Header V4 RSA/SHA1 signature: BAD, key ID 1abd1afb

Arrgh. Glad I had a backup of /var/lib/rpm/.

Then I decided to ask here. :-)
Where do I find the correct RPM key for RPM signature checks?
I.e., completely without zypper, I want to rpm --import a key, and
then be able to rpm -Kv a package without errors.

Thanks in advance for any pointer,

	Joachim

PS: The signing key in package rpmkey-packman is the one that expired
at 2010-09-21. Is that package not relevant any more for key updates?
Should one uninstall it anyhow?

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Joachim Schrod				Email: jschrod at acm.org
Roedermark, Germany

More information about the Packman mailing list