[packman] RPM problem with packet signatures (not zypper and repomd.xml!)
marc at schiffbauer.net
Wed Mar 16 19:02:23 CET 2011
* Joachim Schrod schrieb am 15.03.11 um 14:51 Uhr:
> I still have issues with the Packman signing key.
> A few days ago, problems during zypper refresh were mentioned,
> because repomd.xml.key was defect. This is *NOT* the issue I want
> to bring up. But it might be the same issue that John Field brought
> up at 2011-03-10.
> I'm using openSUSE 11.1. But, AFAICS, that's not relevant; the same
> error happens with downloaded 11.4 packages.
> During update, RPM complains about packet signatures, e.g., for libavutil50:
> libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm: Header V4
> RSA/SHA1 signature: BAD, key ID 1abd1afb
> And, sure enough:
> # rpm -Kv libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm
> Header V4 RSA/SHA1 signature: BAD, key ID 1abd1afb
> Header SHA1 digest: OK (6a5712c079b4a93926cf4ea33caa4f46fc7aa3b4)
> V4 RSA/SHA1 signature: BAD, key ID 1abd1afb
> MD5 digest: OK (083f96f42f9495e4ab3a6ccfff73467a)
This must be a local issue it your site.
The rpm in the repository is ok:
rpm -Kv ./i586/libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm
Header V4 RSA/SHA1 Signature, key ID 1abd1afb: OK
Header SHA1 digest: OK (6a5712c079b4a93926cf4ea33caa4f46fc7aa3b4)
V4 RSA/SHA1 Signature, key ID 1abd1afb: OK
MD5 digest: OK (083f96f42f9495e4ab3a6ccfff73467a)
> The RPM key database has two keys with that ID,
> gpg-pubkey-1abd1afb-48d62ce0 expired at 2010-09-21;
> gpg-pubkey-1abd1afb-4c97c60c expires at 2014-09-19.
You only need the latter.
> I checked that removal of the older key has no effect.
> I also rpm-imported the most current signing key that's available as
> repomd.xml.key or gpg-pubkey-1abd1afb.asc at the repository top.
> (After rpm-removing gpg-pubkey-1abd1afb-4c97c60c, of course.)
> Still bad RPM signatures.
> Then I thought "let's reinstall rpmkey-packman", maybe that brings a new
> correct key. Well, installing the current version of that
> package hoses the RPM key database:
AFAICT this package is not required anymore. Maybe the problem is that it MUST
NOT be installed at all?
> # rpm -qa 'gpg-pubkey*' | grep -i 1abd1afb
> error: rpmdbNextIterator: skipping h# 5324 Header V4 RSA/SHA1 signature: BAD, key ID 1abd1afb
rpm -qa 'gpg-pubkey*' | grep -i 1abd1afb
> Arrgh. Glad I had a backup of /var/lib/rpm/.
> Then I decided to ask here. :-)
> Where do I find the correct RPM key for RPM signature checks?
> I.e., completely without zypper, I want to rpm --import a key, and
> then be able to rpm -Kv a package without errors.
> Thanks in advance for any pointer,
> PS: The signing key in package rpmkey-packman is the one that expired
> at 2010-09-21. Is that package not relevant any more for key updates?
> Should one uninstall it anyhow?
I am sure you can uninstall it.
8AAC 5F46 83B4 DB70 8317 3723 296C 6CCA 35A6 4134
More information about the Packman