yum GPG verify and package sigs...
seth vidal
skvidal at phy.duke.edu
Sat Jul 23 15:25:15 UTC 2005
On Sat, 2005-07-23 at 01:20 -1000, Warren Togami wrote:
> I just noticed that using yum's default FC4 configuration, it is
> seemingly impossible to install packages like docbook-utils which is
> signed by a different GPG key than the default specified to that
> repository in /etc/yum.repos.d/fedora.repo. I suppose this is partially
> my fault because I'm the last person to touch that repo file, but it is
> strange to me that I never noticed this problem until now.
>
> I *like* that yum enforces this strictly, but are there any good reasons
> why we should allow packages in a repo to be signed by two or more valid
> keys rather than a single key?
>
> Did we screw up by not resigning everything in base before pushing FC4,
> or is this really a yum config problem?
This is a screw up by not resigning everything. We've implemented
support for multiple gpgkeys per-repo in yum 2.3.4 but fedora core
should be signed with a single key.
> Any ideas how we should fix this now? Should we resign the entire repo
> and push that to mirrors?
won't work - most mirrors don't re-sync core after the initial release.
> Or maybe less radically update yum so the repo file allows both keys?
> (Use this as a one-time kludge for FC4, and in the future make sure each
> repo uses *one* key.)
also won't work b/c a lot of people have modified their repo file.
I'd recommend just not makin this mistake again.
-sv
More information about the Fedora-maintainers
mailing list