yum GPG verify and package sigs...

Jeff Spaleta jspaleta at gmail.com
Sun Jul 24 01:58:03 UTC 2005


On 7/23/05, Ignacio Vazquez-Abrams <ivazquez at ivazquez.net> wrote:
> On Sat, 2005-07-23 at 18:41 -0400, Jeff Spaleta wrote:
> > On 7/23/05, Warren Togami <wtogami at redhat.com> wrote:
> > > In case you missed the discussion, this does not solve the problem.
> 
> > I've run into this on #fedora and I have yet to see importing of all
> > the provided keys fail to resolve the problem.
> 
> No, it only applies a bandage over it. The actual problem is that the
> packages are signed by 2 different keys. The solution is to re-sign
> them.

There are solutions.. and there are workarounds. I was originally
commenting on Miller's comment about an 'easy suggestion' to tell 
users who encounter this problem.  You are right the only real
'solution' is to rebuild the packages AND rebuild the isos. But I know
thats realistically not going to happen.  So we can either beat our
heads against the brick wall and shake or fists every-so viciously in
the air... or we can note in several places that the easiest way to
'workaround' the problem is to manually import all the keys installed
on the system by the fedora-release package and just move on.

I'd like to point out that while yum supporting multiple keys is
probably a useful option for frankenstien local repos that people
patch together(like on my home lan) it wouldn't have prevented this
problem. The packages in the fc4 release were suppose to all be the
same key.. the yum config in the shipped fedora-release would have
just had one key defined... and I suspect that come fc5 fedora-release
will continue to only have one key defined in the provided yum config
because the expectation about how the packages are supposed to be
signed hasn't changed.  The only long-term solution is to build in
some scripted checks to make sure that all the packages in the iso are
signed with the same key at iso generation time.  That way every iso
as part of the fc5 testing and release process can be checked for
signing consistency before the iso is public.

-jef




More information about the Fedora-maintainers mailing list