Mailinglist Archive: opensuse (2112 mails)
| < Previous | Next > |
Re: [opensuse] New key for the ATI Repo?
- From: Adam Jimerson <vendion@xxxxxxxxxxx>
- Date: Fri, 8 Aug 2008 20:06:37 -0400
- Message-id: <200808082006.58621.vendion@xxxxxxxxxxx>
On Friday 08 August 2008 3:32:09 pm John Andersen wrote:
But the above key was created this year, so if they make a new one yearly why
make a new one so soon? They shouldn't have to make a new one until
2009-2010, unless something happened to the above key right?
--
"We must plan for freedom, and not only for security, if for no other reason
than only freedom can make security more secure." Karl Popper
On Fri, Aug 8, 2008 at 12:23 PM, John Andersen <jsamyth@xxxxxxxxx> wrote:wrote:
On Fri, Aug 8, 2008 at 11:49 AM, Adam Jimerson <vendion@xxxxxxxxxxx>
YaST2 and openSUSE-updater are complaining that the signing key used on
the ATI repo does not match the key that I accepted when I added the
repo. The exact error that YaST2 is giving me is:
Validation Check Failed
File repomd.xml
is signed with the following GnuPG key, but the integrity check failed:
ID A794DEA1FC2D149
Fingerprint: 7D6F 1AF2 6CD1 D227 CD54 4AAE A794 D9EA 1FC2 D149
Name: ATI Linux Software (ATI-REPO.ZIP) <atilinuxsoftware@xxxxxxx>
Created: 06/12/2008
Expires: 06/12/2009
This means that the file has been changed by accident or by an attacker
since the repository creator signed it. Using it is a big risk for the
integrity and security of your system.
Use it anyway?
Yes/No buttons
I'm going to hit No, but did the ATI repo get a new key? I am sending
this to the email address the signed key as hoping that someone on ATI's
side will have an answer also.
--
"We must plan for freedom, and not only for security, if for no other
reason than only freedom can make security more secure." Karl Popper
Good question. A search on the address atilinuxsoftware@xxxxxxx
reports two keys generated in June of 2006 and June 2007, so maybe
they have a practice of changing keys yearly.
Never the less, the key you posted does not verify for me either
regardless of which of the several key servers I used.
I've just determined that all of the published keys for
atilinuxsoftware@xxxxxxx have a one year expiration date.
So it seems that this change was planned, but someone forgot to publish
the new key to any key servers.
But the above key was created this year, so if they make a new one yearly why
make a new one so soon? They shouldn't have to make a new one until
2009-2010, unless something happened to the above key right?
--
"We must plan for freedom, and not only for security, if for no other reason
than only freedom can make security more secure." Karl Popper
| < Previous | Next > |