[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Importing third-party developer's public keys



On Fri, 2004-07-23 at 08:01, Michel Salim wrote:

> I checked fedora-installdevkeys and it seems to just perform rpm
> --root ~/.fedorarpm --import PUBKEY; so after downloading the
> developer's public key (gpg --recv-keys 1b4259b3 ; gpg --export
> --armor 1b4259b3 > PUBKEY) I did just this.
> 
> rpmlint'ing or fedora-rpmchecksig'ing the .src.rpm kept giving a
> MISSING KEY warning though. What did I do wrong?

rpmlint does not use ~/.fedorarpm, so MISSING KEY is expected with it.

fedora-rpmchecksig does use it, but in order to successfully import some
keys, after retrieving it from a keyserver one may have to "strip" extra
signatures (ie. all but the self-signature) and/or identities from it
due to a bug in rpm: https://bugzilla.redhat.com/90952

This is not specific to fedora-rpmchecksig BTW, but applies to rpm and
GPG keys in general.  People have posted utilities for doing the key
stripping to bugzilla.fedora.us and elsewhere, maybe we should include
one of those in rpmdevtools.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]