Re: yum GPG verify and package sigs...

[Chris Ricker <kaboom oobleck net>]

On Sat, 23 Jul 2005, Warren Togami wrote:

> I just noticed that using yum's default FC4 configuration, it is seemingly
> impossible to install packages like docbook-utils which is signed by a
> different GPG key than the default specified to that repository in
> /etc/yum.repos.d/fedora.repo.  I suppose this is partially my fault because
> I'm the last person to touch that repo file, but it is strange to me that I
> never noticed this problem until now.
> 
> I *like* that yum enforces this strictly, but are there any good reasons why
> we should allow packages in a repo to be signed by two or more valid keys
> rather than a single key?
> 
> Did we screw up by not resigning everything in base before pushing FC4, or is
> this really a yum config problem?
> 
> Any ideas how we should fix this now?  Should we resign the entire repo and
> push that to mirrors?

Either: 

* Don't do that again (not resign everything) next time
* list multiple keys now that yum supports

See also a whole slew of bugs in Bugzilla (160898, 161786, 162302, 162301, 
160436, etc) caused by this

later,
chris