[packman] RPM problem with packet signatures (not zypper and repomd.xml!)

Joachim Schrod jschrod at acm.org
Thu Mar 17 13:19:25 CET 2011 

Marc Schiffbauer wrote:
> * Joachim Schrod schrieb am 15.03.11 um 14:51 Uhr:

Hi Marc,

Thanks for your fast answer.

>> I still have issues with the Packman signing key.
>> 
>> I'm using openSUSE 11.1. But, AFAICS, that's not relevant; the same
>> error happens with downloaded 11.4 packages.
>> 
>>   # rpm -Kv libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm 
>>   libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm:
>>     Header V4 RSA/SHA1 signature: BAD, key ID 1abd1afb
>>     Header SHA1 digest: OK (6a5712c079b4a93926cf4ea33caa4f46fc7aa3b4)
>>     V4 RSA/SHA1 signature: BAD, key ID 1abd1afb
>>     MD5 digest: OK (083f96f42f9495e4ab3a6ccfff73467a)
> 
> This must be a local issue it your site.

But, as Kyrill wrote, I'm not alone with this. Kyrill runs 11.1 as well;
maybe there is a compatibility problem with rpm in that release.

> The rpm in the repository is ok:
> 
> rpm -Kv ./i586/libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm
> ./i586/libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm:
>     Header V4 RSA/SHA1 Signature, key ID 1abd1afb: OK
>     Header SHA1 digest: OK (6a5712c079b4a93926cf4ea33caa4f46fc7aa3b4)
>     V4 RSA/SHA1 Signature, key ID 1abd1afb: OK
>     MD5 digest: OK (083f96f42f9495e4ab3a6ccfff73467a)
> 
> gpg-pubkey-1abd1afb-4c97c60c

OK; so I uninstalled all rpm keys with ID 1abd1afb and reinstalled the
one that I fetched from Packman's repository.

   # rpm -qa 'gpg-pubkey*' | grep -i 1abd1afb
   gpg-pubkey-1abd1afb-4c97c60c

Still the same problem,
rpm -Kv libavutil50-0.6.201103092102git-1.pm.2.1.i586.rpm tells about a
bad signature.

I also checked with rpm -qi gpg-pubkey-1abd1afb-4c97c60c that the rpm key
is really the same as the one that I imported, namely

pub   4096R/1ABD1AFB 2006-09-18 [expires: 2014-09-19]
      Key fingerprint = F887 5B88 0D51 8B6B 8C53  0D13 45A1 D067 1ABD 1AFB
uid                  PackMan Project (signing key) <packman at links2linux.de>

Any ideas where I could look in addition?

Has anybody else still an 11.1 around where that check works?
Sadly I can't trigger zypper to add --nosignature for
Packman's rpm packages. (Soon I'll update to 11.4 anyhow; I'd go along with
no sig checking for a few weeks.)

	Joachim

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Joachim Schrod				Email: jschrod at acm.org
Roedermark, Germany

More information about the Packman mailing list