Ludwig Nussel [21.01.2009 10:31]:
Werner Flamme wrote:
I noticed that for the last 5(?) times I got unsigned packes from the http://download.opensuse.org/updates/11.0 repository. As far as I know, these are security updates - shouldn't they be signed?
Of course. Which ones are not signed? Looking at random samples on our staging server everything looks fine.
cu Ludwig
Ludwig,
sorry, I was looking at 11.1 update repo, not 11.0.
Apt told me - for example - packages xrdp and autofs were unsigned. Now
I see:
# rpm --checksig autofs_5.0.3-82.28.1_x86%5f64.rpm
autofs_5.0.3-82.28.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK
# rpm --checksig xrdp_0.4.1-16.6.1_x86%5f64.rpm
xrdp_0.4.1-16.6.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK
Hm... what does rpm know that apt doesn't? And why does apt
(apt-0.5.15lorg3.2-123.14) cry about "unsigned", when it is signed?
On a 11.0 box, the checks tell:
# rpm --checksig autofs-5.0.3-82.28.1.x86_64.rpm
autofs-5.0.3-82.28.1.x86_64.rpm: RSA sha1 (MD5) (PGP) md5 NOT OK
(MISSING KEYS: PGP#3dbdc284)
# rpm --checksig xrdp-0.4.1-16.6.1.x86_64.rpm
xrdp-0.4.1-16.6.1.x86_64.rpm: RSA sha1 (MD5) (PGP) md5 NOT OK (MISSING
KEYS: PGP#3dbdc284)
OK, the key may be specific to 11.1. Normally, apt tells me that a
package is signed with an unknown key... This may be the case on the
11.1 box:
# gpg --list-keys --no-default-keyring --keyring
/usr/lib/rpm/gnupg/pubring.gpg 3dbdc284
pub 2048R/3DBDC284 2008-11-07 [verfällt: 2010-11-07]
uid openSUSE Project Signing Key