On Friday 11 Apr 2003 13:33, Lars Ellenberg wrote:

On Fri, Apr 11, 2003 at 09:25:43AM +0100, Matt Gibson wrote:

...

...

what does rpm -v --checksig <some.rpm> tell you?

That works fine; it doesn't seem to be the md5 checksum signature, but the pgp signature of the package that's the problem.

rpm -v --checksig _does_ verify the gpg sig, too.

Ah, yes, thank you for that. I foolishly tested it on a package which didn't have a pgp signature, so it only told me about the MD5 sum. Excuse me while I kick myself.

if it does not tell you about gpg at all, then either there is no gpg sig, or it could not find gpg executable/libs (don't know if it uses only some lib routines, or the executable).

Now, I've tried it on a package which _does_ have a pgp signature from SuSE, and it's perfectly happy with that: it displays the gpg output correctly. So...

in the later case, the suggested symlink from /usr/bin/gpg to /usr/local/bin/gpg could help.

I've now tried this. Incidentally (and to help anyone searching for this in the mailing list archive!), the error message I get from Yast is: "Warning Cannot check the patch <whatever> because the PGP key is not installed or is corrupted. So SuSE cannot guarantee that the packages has been created by SuSE" And creating the link from /usr/bin/gpg to /usr/local/bin/gpg has fixed the problem! I guess something's hardcoded somewhere, or perhaps for security reasons YaST uses a more limited path than the normal root path (/usr/local/bin is in root's path on my system.) Thanks for your time, people. Matt -- "It's the small gaps between the rain that count, and learning how to live amongst them." -- Jeff Noon