On Friday 08 August 2008 3:32:09 pm John Andersen wrote:
On Fri, Aug 8, 2008 at 12:23 PM, John Andersen
wrote: On Fri, Aug 8, 2008 at 11:49 AM, Adam Jimerson
wrote: YaST2 and openSUSE-updater are complaining that the signing key used on the ATI repo does not match the key that I accepted when I added the repo. The exact error that YaST2 is giving me is:
Validation Check Failed
File repomd.xml is signed with the following GnuPG key, but the integrity check failed:
ID A794DEA1FC2D149 Fingerprint: 7D6F 1AF2 6CD1 D227 CD54 4AAE A794 D9EA 1FC2 D149 Name: ATI Linux Software (ATI-REPO.ZIP)
Created: 06/12/2008 Expires: 06/12/2009 This means that the file has been changed by accident or by an attacker since the repository creator signed it. Using it is a big risk for the integrity and security of your system.
Use it anyway? Yes/No buttons
I'm going to hit No, but did the ATI repo get a new key? I am sending this to the email address the signed key as hoping that someone on ATI's side will have an answer also. -- "We must plan for freedom, and not only for security, if for no other reason than only freedom can make security more secure." Karl Popper
Good question. A search on the address atilinuxsoftware@ati.com reports two keys generated in June of 2006 and June 2007, so maybe they have a practice of changing keys yearly.
Never the less, the key you posted does not verify for me either regardless of which of the several key servers I used.
I've just determined that all of the published keys for atilinuxsoftware@ati.com have a one year expiration date.
So it seems that this change was planned, but someone forgot to publish the new key to any key servers.
But the above key was created this year, so if they make a new one yearly why make a new one so soon? They shouldn't have to make a new one until 2009-2010, unless something happened to the above key right? -- "We must plan for freedom, and not only for security, if for no other reason than only freedom can make security more secure." Karl Popper