bad signatures in contrib source
Dave Farrance
server in Paris France, and I can install packages OK with urpmi, but I
keep having to accept bad signature warnings whenever I get something
from "contrib". I've re-installed the source with the same result. Is
this just my problem or has anybody else noticed it?
The packages have the key 78d019f5, but urpmi is expecting 70771ff3, as
I think I understand from the following example:
# urpmi qdu
ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/official
/2006.0/i586/media/contrib/qdu-2.2-3mdk.i586.rpm
warning: /varThe following packages have bad signatures:
/var/cache/urpmi/rpms/qdu-2.2-3mdk.i586.rpm: Missing signature ((no key
found) OK)
Do you want to continue installation ? (y/N)
/cache/urpmi/partial/qdu-2.2-3mdk.i586.rpm: Header V3 DSA signature:
NOKEY, key ID 78d019f5
And here's the relevant lines from the urpmi config file
/etc/urpmi/urpmi.cfg that shows the keys installed when the source was
set up:
main
ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/official/2006.0/i586/media/main
{
hdlist: hdlist.main.cz
key-ids: 70771ff3
with_hdlist: media_info/hdlist.cz
}
contrib
ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/official/2006.0/i586/media/contrib
{
hdlist: hdlist.contrib.cz
key-ids: 70771ff3
with_hdlist: media_info/hdlist.cz
}
--
Dave Farrance
David W. Hodgins
> I've got my "main" and "contrib" sources pointing at the proxad.net
> server in Paris France, and I can install packages OK with urpmi, but I
> keep having to accept bad signature warnings whenever I get something
> from "contrib". I've re-installed the source with the same result. Is
> this just my problem or has anybody else noticed it?
As root, run
rpm --import ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/official/current/i586/media/contrib/media_info/pubkey
Watch for word wrap.
Regards, Dave Hodgins
--
Change nomail.afraid.org to rogers.com to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
Dave Farrance
>On Tue, 15 Nov 2005 17:43:21 -0500, Dave Farrance wrote:
>> I've got my "main" and "contrib" sources pointing at the proxad.net
>> server in Paris France, and I can install packages OK with urpmi, but I
>> keep having to accept bad signature warnings whenever I get something
>> from "contrib"...
>
>As root, run
>rpm --import ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/official/current/i586/media/contrib/media_info/pubkey
>rpm --import ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/official/current/i586/media/contrib/media_info/pubkey_contrib
Thanks that's got me another key: gpg-pubkey-78d019f5-3fd7504d
However, the package that I downloaded from contrib (qdu-2.2-3mdk) has
the key 445935f878d019f5 according to "rpm -qi". I've googled on this
number and found a few people complaining about other packages with this
key - but nobody knew where to import the key from.
Ho hum. I've installed the package now, and it works fine, but it does
rather defeat the purpose of the keys.
--
Dave Farrance
David W. Hodgins
> However, the package that I downloaded from contrib (qdu-2.2-3mdk) has
> the key 445935f878d019f5 according to "rpm -qi". I've googled on this
That's a cooker key, that for some reason I already have. Try
rpm --import ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/devel/cooker/i586/media/media_info/pubkey_main
rpm --import ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/devel/cooker/i586/media/media_info/pubkey_jpackage
rpm --import ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/devel/cooker/i586/media/media_info/pubkey_contrib
Dave Farrance
>On Wed, 16 Nov 2005 07:42:59 -0500, Dave Farrance wrote:
>> However, the package that I downloaded from contrib (qdu-2.2-3mdk) has
>> the key 445935f878d019f5 according to "rpm -qi". I've googled on this
>
>That's a cooker key, that for some reason I already have. Try
>rpm --import ...
OK thanks, I've imported all those, but I'm still getting warnings of
the above key in some packages. I don't quite understand the
significance of the reported number. Does it mean that I should have an
imported pubkey identified as: gpg-pubkey-78d019f5-445935f8 ?
I actually have: gpg-pubkey-78d019f5-3fd7504d
I have several copies of it actually, and that's another problem. If I
try to delete the spurious copies with rpm -e, I get an error:
# rpm -e gpg-pubkey-78d019f5-3fd7504d
error: "gpg-pubkey-78d019f5-3fd7504d" specifies multiple packages
--
Dave Farrance
David W. Hodgins
>>> However, the package that I downloaded from contrib (qdu-2.2-3mdk) has
>>> the key 445935f878d019f5 according to "rpm -qi". I've googled on this
Part of the output of gpg -vv pubkey_contrib shows ...
:signature packet: algo 17, keyid 445935F878D019F5
which Identifies the subkey, and the key used to produce the signature.
The string 3fd7504d, which rpm is adding to the package name, does not
appear in the gpg listing of the key. Perhaps it's the key's creation
date. I don't know.
I did a search of the various pubkey file in subdirectories of...
ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/official/current
ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/official/updates
ftp.proxad.net/pub/Distributions_Linux/MandrivaLinux/old/updates
ftp.free.fr/pub/Distributions_Linux/plf/mandriva
Of the 16 or so pubkey files, there are 6 unique keys. Apparently,
everytime an addmedia, or rpm --import command is run, rpm adds the
located key(s) to it's database, with no cleanup of duplicates.
Running the following will produce a clean database of keys, with
all 6 keys...
rpm -e --allmatches gpg-pubkey-70771ff3-3c8f768f
rpm -e --allmatches gpg-pubkey-78d019f5-3fd7504d
rpm -e --allmatches gpg-pubkey-caba22ae-3cf2c469
rpm -e --allmatches gpg-pubkey-c431416d-3db4c821
rpm -e --allmatches gpg-pubkey-22458a98-3969e7de
rpm -e --allmatches gpg-pubkey-26752624-3fd74faa
rpm --import ftp://ftp.proxad.net/pub/Distributions_Linux/MandrivaLinux/official/current/i586/media/contrib/media_info/pubkey
rpm --import ftp://ftp.proxad.net/pub/Distributions_Linux/MandrivaLinux/official/current/i586/media/contrib/media_info/pubkey_contrib
rpm --import ftp://ftp.proxad.net/pub/Distributions_Linux/MandrivaLinux/official/current/i586/media/jpackage/media_info/pubkey
rpm --import ftp://ftp.free.fr/pub/Distributions_Linux/plf/mandriva/free/2006.0/pubkey
rpm --import ftp://ftp.proxad.net/pub/Distributions_Linux/MandrivaLinux/official/updates/current/main_updates/media_info/pubkey
rpm --import ftp://ftp.proxad.net/pub/Distributions_Linux/MandrivaLinux/old/updates/10.0/base/pubkey2
Then
rpm -qa gpg-pubkey*
shows ...
gpg-pubkey-70771ff3-3c8f768f
gpg-pubkey-caba22ae-3cf2c469
gpg-pubkey-22458a98-3969e7de
gpg-pubkey-78d019f5-3fd7504d
gpg-pubkey-c431416d-3db4c821
gpg-pubkey-26752624-3fd74faa
If you have the above 6 keys, and still get sig problems it's
most likely due to urpmi.cfg problems. Here's the portion of
my /etc/urpmi.cfg file past the installation isos...
updates ftp://ftp.proxad.net/pub/Distributions_Linux/MandrivaLinux/official/updates/current/main_updates {
hdlist: hdlist.updates.cz
key-ids: 22458a98
list: list.updates
update
with_hdlist: media_info/hdlist.cz
}
main ftp://ftp.proxad.net/pub/Distributions_Linux/MandrivaLinux/official/current/i586/media/main {
hdlist: hdlist.main.cz
with_hdlist: media_info/hdlist.cz
}
contrib ftp://ftp.proxad.net/pub/Distributions_Linux/MandrivaLinux/official/current/i586/media/contrib {
hdlist: hdlist.contrib.cz
with_hdlist: media_info/hdlist.cz
}
jpackage ftp://ftp.proxad.net/pub/Distributions_Linux/MandrivaLinux/official/current/i586/media/jpackage {
hdlist: hdlist.jpackage.cz
key-ids: c431416d
with_hdlist: media_info/hdlist.cz
}
plf-free ftp://ftp.free.fr/pub/Distributions_Linux/plf/mandriva/free/2006.0 {
hdlist: hdlist.plf-free.cz
key-ids: caba22ae
list: list.plf-free
update
with_hdlist: hdlist.cz
}
plf-nonfree ftp://ftp.free.fr/pub/Distributions_Linux/plf/mandriva/non-free/2006.0 {
hdlist: hdlist.plf-nonfree.cz
key-ids: caba22ae
list: list.plf-nonfree
with_hdlist: hdlist.cz
Dave Farrance
>Part of the output of gpg -vv pubkey_contrib shows ...
>:signature packet: algo 17, keyid 445935F878D019F5
>which Identifies the subkey, and the key used to produce the signature.
I see. Thanks.
>Running the following will produce a clean database of keys ...
That cleaned up my database OK, but urpmi still didn't like the key.
>If you have the above 6 keys, and still get sig problems it's
>most likely due to urpmi.cfg problems. Here's the portion of
>my /etc/urpmi.cfg file past the installation isos...
OK. The solution was to remove the line "key-ids: 70771ff3" from the
contrib entry in /etc/urpmi.cfg. No more urpmi complaints.
So it seems that was the problem. When the contrib source is created
with urpmi.addmedia, a single key becomes associated with the contrib
source in /etc/urpmi.cfg. Unfortunately, contrib has some packages that
do NOT use that particular key, and although the "bad" key IS present in
the key database, urpmi still complains.
I see that it's already been noted as Mandrake Bugzilla Bug 19511. I've
added a waspish comment. :-/
Thanks David, for your patience and for taking the time to produce such
detailed instructions.
--
Dave Farrance