hi all,
gpg / rpm --checksig
are driving me crazy....
i have two systems... suse 7.3 the one, suse 8.0 the other...
i have downloaded to both systems the latest webmin 1.060
webmin-1.060-1.noarch.rpm, and they gpg/pgp key from the author
http://switch.dl.sourceforge.net/sourceforge/webadmin/webmin-1.060-1.noarch....
http://www.webmin.com/jcameron-key.asc
the problem is, the one system gives me errors when rpm --checksig webmin-1.060-1.noarch.rpm
the other system works fine... both have gpg installed and i have imported the public key of the webmin author...
i dont see any difference...
see here:
the correctly working system (suse 7.3)
# gpg --list-keys -v
/root/.gnupg/pubring.gpg
------------------------
gpg: NOTE: signature key 9C800ACA expired Sat Oct 19 15:17:53 2002 CEST
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key
gpg: NOTE: signature key 9C800ACA expired Sat Oct 19 15:17:53 2002 CEST
sig 9C800ACA 2000-10-19 SuSE Package Signing Key
sub 2048g/8495160C 2000-10-19 [expires: 2002-10-19]
sig 9C800ACA 2000-10-19 SuSE Package Signing Key
pub 1024D/11F63C51 2002-02-28 Jamie Cameron
sig 11F63C51 2002-02-28 Jamie Cameron
sub 1024g/1B24BE83 2002-02-28
sig 11F63C51 2002-02-28 Jamie Cameron
---------------
then rpm:
# rpm --checksig webmin-1.060-1.noarch.rpm -v
webmin-1.060-1.noarch.rpm:
MD5 sum OK: 547eb528952c96eec64ae3910e9c5aa5
gpg: Signature made Wed Feb 5 00:48:41 2003 CET using DSA key ID 11F63C51
gpg: Good signature from "Jamie Cameron "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
gpg: Fingerprint: 1719 003A CE3E 5A41 E2DE 70DF D97A 3AE9 11F6 3C51
everything fine here, signature's been correctly checked on the suse 7.3 system...
-------------------------------------------------------------------------
-------------------------------------------------------------------------
now in contrast the suse 8.0 system:
# gpg --list-keys -v
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team
sig B1CA3C45 1999-03-06 [User id not found]
sig 3D25D3D9 1999-03-06 SuSE Security Team
sig 000AABA4 2001-06-06 [User id not found]
sig CEFC9215 1999-08-15 [User id not found]
sig B0DFF780 2000-11-21 [User id not found]
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key
sig 9C800ACA 2000-10-19 SuSE Package Signing Key
sig 000AABA4 2001-01-25 [User id not found]
sig 3D25D3D9 2001-01-25 SuSE Security Team
sig 9C800ACA 2002-02-13 SuSE Package Signing Key
sub 2048g/8495160C 2000-10-19 [expires: 2006-02-12]
sig 9C800ACA 2000-10-19 SuSE Package Signing Key
sig 9C800ACA 2002-02-13 SuSE Package Signing Key
pub 1024D/AFB66D7C 2002-04-28 fou4s build key
sig AFB66D7C 2002-04-28 fou4s build key
sub 1024g/8B6432D7 2002-04-28
sig AFB66D7C 2002-04-28 fou4s build key
pub 1024D/11F63C51 2002-02-28 Jamie Cameron
sig 11F63C51 2002-02-28 Jamie Cameron
sub 1024g/1B24BE83 2002-02-28
sig 11F63C51 2002-02-28 Jamie Cameron
-------------
now the rpm output:
rpm -v --checksig webmin-1.060-1.noarch.rpm
webmin-1.060-1.noarch.rpm:
MD5 sum OK: 547eb528952c96eec64ae3910e9c5aa5
gpg: Signature made Wed Feb 5 00:48:41 2003 CET using DSA key ID 11F63C51
gpg: Can't check signature: public key not found
----------------
jeez... am i stupid or not seeing the problem here? what the heck.... the pub key of jcameron@webmin.com is there on both systems... so what the heck is wrong here???
the md5 hash key is the very same on both systems, so the downloaded files are exactly the same... so why the heck cant suse 8.0 verify the file then????
can anyone help??
thanks and regards,
andy