[packman] RPM problem with packet signatures (not zypper and repomd.xml!)

Marc Schiffbauer marc at schiffbauer.net
Wed Mar 16 19:02:23 CET 2011


* Joachim Schrod schrieb am 15.03.11 um 14:51 Uhr:
> Hi,

Hi Joachim,

> 
> I still have issues with the Packman signing key.
> 
> A few days ago, problems during zypper refresh were mentioned,
> because repomd.xml.key was defect. This is *NOT* the issue I want
> to bring up. But it might be the same issue that John Field brought
> up at 2011-03-10.
> 
> I'm using openSUSE 11.1. But, AFAICS, that's not relevant; the same
> error happens with downloaded 11.4 packages.
> 
> During update, RPM complains about packet signatures, e.g., for libavutil50:
>   libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm: Header V4
>   RSA/SHA1 signature: BAD, key ID 1abd1afb
> And, sure enough:
>   # rpm -Kv libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm 
>   libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm:
>     Header V4 RSA/SHA1 signature: BAD, key ID 1abd1afb
>     Header SHA1 digest: OK (6a5712c079b4a93926cf4ea33caa4f46fc7aa3b4)
>     V4 RSA/SHA1 signature: BAD, key ID 1abd1afb
>     MD5 digest: OK (083f96f42f9495e4ab3a6ccfff73467a)

This must be a local issue it your site.

The rpm in the repository is ok:

rpm -Kv ./i586/libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm
./i586/libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm:
    Header V4 RSA/SHA1 Signature, key ID 1abd1afb: OK
    Header SHA1 digest: OK (6a5712c079b4a93926cf4ea33caa4f46fc7aa3b4)
    V4 RSA/SHA1 Signature, key ID 1abd1afb: OK
    MD5 digest: OK (083f96f42f9495e4ab3a6ccfff73467a)

gpg-pubkey-1abd1afb-4c97c60c


> 
> The RPM key database has two keys with that ID,
> gpg-pubkey-1abd1afb-48d62ce0 expired at 2010-09-21;
> gpg-pubkey-1abd1afb-4c97c60c expires at 2014-09-19.

You only need the latter.


> I checked that removal of the older key has no effect.
> 
> I also rpm-imported the most current signing key that's available as
> repomd.xml.key or gpg-pubkey-1abd1afb.asc at the repository top.
> (After rpm-removing gpg-pubkey-1abd1afb-4c97c60c, of course.)
> Still bad RPM signatures.
> 
> Then I thought "let's reinstall rpmkey-packman", maybe that brings a new
> correct key. Well, installing the current version of that
> package hoses the RPM key database:

AFAICT this package is not required anymore. Maybe the problem is that it MUST 
NOT be installed at all?


> 
>   # rpm -qa 'gpg-pubkey*' | grep -i 1abd1afb
>   error: rpmdbNextIterator: skipping h#    5324 Header V4 RSA/SHA1 signature: BAD, key ID 1abd1afb

rpm -qa 'gpg-pubkey*' | grep -i 1abd1afb
gpg-pubkey-1abd1afb-4c97c60c


> 
> Arrgh. Glad I had a backup of /var/lib/rpm/.
> 
> Then I decided to ask here. :-)
> Where do I find the correct RPM key for RPM signature checks?
> I.e., completely without zypper, I want to rpm --import a key, and
> then be able to rpm -Kv a package without errors.
> 
> Thanks in advance for any pointer,
> 
> 	Joachim
> 
> PS: The signing key in package rpmkey-packman is the one that expired
> at 2010-09-21. Is that package not relevant any more for key updates?
> Should one uninstall it anyhow?

I am sure you can uninstall it.

-Marc
-- 
8AAC 5F46 83B4 DB70 8317  3723 296C 6CCA 35A6 4134




More information about the Packman mailing list