[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: http://fedora.redhat.com/ and GPG Signatures

On Friday 23 April 2004 13:56, CJ Kucera wrote:
> Two links are given for the primary Fedora package signing key, one
> at fedora.redhat.com, and the other at the public keyserver
> pgp.mit.edu. I've been trying to figure out why the key I've been
> using hasn't been validating RPMs properly, and as it turns out, the
> key being given at pgp.mit.edu is *different* from the key at
> fedora.redhat.com.
> This was a bit confusing, as both keys had the same datestamp and the
> same ID, so I've been beating my head against the wall for some time
> now.  The one hosted at fedora.redhat.com works, the one at
> pgp.mit.edu doesn't.  Now obviously the one at pgp.mit.edu should
> probably be updated somehow to be the correct key, but in the
> meantime it'd be great if the website mentioned something along the
> lines of, "don't grab the one at pgp.mit.edu because it won't work"
> and take that link off of there, so that people like me who generally
> *only* use public keyservers won't spend a lot of time confused.  :)

Could it be that the one on the keyserver has been signed by various 
folks?  Rpm checking against keys that have been signed is a no-no, 
which is why Fedora offers up a unsigned key on their website for 
usage.  The one on the server is signed to verify validity.

Jesse Keating RHCE      (geek.j2solutions.net)
Fedora Legacy Team      (www.fedoralegacy.org)
GPG Public Key          (geek.j2solutions.net/jkeating.j2solutions.pub)
Was I helpful?  Let others know:

Attachment: pgp00109.pgp
Description: signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]