Werner Flamme [21.01.2009 11:50]:
Apt told me - for example - packages xrdp and autofs were unsigned. Now I see: # rpm --checksig autofs_5.0.3-82.28.1_x86%5f64.rpm autofs_5.0.3-82.28.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK # rpm --checksig xrdp_0.4.1-16.6.1_x86%5f64.rpm xrdp_0.4.1-16.6.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK
Hm... what does rpm know that apt doesn't? And why does apt (apt-0.5.15lorg3.2-123.14) cry about "unsigned", when it is signed?
Now I know: apt does not know "pgp", it looks for "gpg". In /usr/lib64/apt/scripts/gpg-checker.lua I found that apt performs "/bin/rpm --checksig" an parses the output. I see: if string.find(line, "gpg") then break maybe because in 11.0 the packages are signed with gpg, and in 11.1 with gpg? Obviously, I am not the only one who missed the announcement that the signing method changed, since I can't find a newer apt on the build service ;-) On 11.0: rpm --checksig /home/wflamme/down/kernel/kernel-default-2.6.25.20-0.1.x86_64.rpm /home/wflamme/down/kernel/kernel-default-2.6.25.20-0.1.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK On 11.1: rpm --checksig /var/cache/apt/archives/xrdp_0.4.1-16.6.2_x86%5f64.rpm /var/cache/apt/archives/xrdp_0.4.1-16.6.2_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK Both rpms are from the respective "update" repo. I doubled the if-statement in gpg-checker.lua and changed "gpg" to "pgp" in the copy. The next update on 11.1 will show if it helps :-) Think this may result in a bugzilla entry for apt ;-) Regards, Werner -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org