Problems getting GPG key recognised by RPM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey all,
I'm trying to import a GPG key into RPM for package signature checking.
However, the ascii armored key doesn't seem to be recognised by RPM, although
the pseudo-package is created.
The key has ID CD3140CD. Exporting an ascii armored public key gives a file as
follows:
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.4 (GNU/Linux)
mQGiBD1Giz8RBACwOaLG5S5MhYRA6pg0s/h/MAda/KWR9SIIaA7OGqEITcuQbvG2
lmldBOlC2UZLxM7XZNz3p4xPotgbGJ/a7ZYTOE8aEvYo/oTkyHfqy956f4ujmike
moZ5rn1Zu5ij6ze2Cz0GH1uVV3KvKRp9h+hNvjzm7T4sBFJ9PSwzuC19xwCg/+dF
<snip>
/3QnvaR72kd3dIh47GWnIbS4P8jxHrQhxEELe2pbiEYEGBECAAYFAj1Gi0QACgkQ
t7/qz80xQM3FCwCfVhZ0eIlgJLlTowhkKs4/bWAZJSEAoPqcQpzxF9TX/0hq6DCL
HuBYoivd
=gkzc
- -----END PGP PUBLIC KEY BLOCK-----
This file was imported in to RPM with "rpm --import rainer.asc". No errors
were reported during import. A list of current public keys known by rpm:
# rpm -qa gpg-pubkey*
gpg-pubkey-807235a8-3e26a1bc
gpg-pubkey-9c800aca-39eef481
# rpm -qi gpg-pubkey-807235a8-3e26a1bc
Name : gpg-pubkey Relocations: (not relocatable)
Version : 807235a8 Vendor: (none)
Release : 3e26a1bc Build Date: Wed Jul 21 14:35:30
2004
Install date: Wed Jul 21 14:35:30 2004 Build Host: localhost
Group : Public Keys Source RPM: (none)
Size : 0 License: pubkey
Signature : (none)
Summary : gpg(Rainer Lay
On Wed, Jul 21, 2004 at 02:48:24PM +0200, Eric Seynaeve wrote:
I'm trying to import a GPG key into RPM for package signature checking. However, the ascii armored key doesn't seem to be recognised by RPM, although the pseudo-package is created.
I had the same problem today with the public key 414A57C3 for the samba packages in ftp.suse.com/projects/samba/3.0/
Also, shouldn't the name of pseudo package give an indication as to the key id?
Yes. In my case, rpm used the key ID of a signature not of the key itself.
What am I doing wrong? I found http://lists.suse.com/archive/suse-security/2004-Mar/0073.html indicating that the problem might be in the signature of the key. Can anybody shed some light on this? How do I limit the export of the signature (the exported file is larger than other found signature files). I have tried to export the key from gpg with --openpgp or --pgp2 but that doesn't seem to influence the export.
You can delete signatures from a key with the "delsig" command in the "edit" menu: ~> gpg --no-options --no-default-keyring --keyring temp.gpg --recv-keys [id] ~> gpg --no-options --no-default-keyring --keyring temp.gpg --edit [id] Command> uid 1 Command> delsig Now answer "y" to all signatures execpt the self-signatures. Repeat this for all UIDs. Command> save ~> gpg --no-options --no-default-keyring --keyring temp.gpg -a -o temp.asc --export [id] ~> rpm --import temp.asc Or maybe you should ask the package maintainer to provide a public key that works with rpm :-) -- Michel Messerschmidt lists@michel-messerschmidt.de antiVirusTestCenter, Computer Science, University of Hamburg
Hey Michel, Thanks a lot for your answer. I have been able to correctly (it seems) load rainer's signature in rpm. Now I'm still fighting to load Manfred Tremmel's signature. Whatever I try, rpm always borks with 'error: .... import failed' but no indication why. I also tried the key on http://www.iivs.de/schwinde/buerger/tremmel/public_key.asc but no luck :-(. Why did the rpm people dump the connection with gpg? This is making things a little (?) complicated. You have to destroy your web of trust in order to make rpm work? Anyway, off to some more struggling. Then, finally, I might be able to apt-get upgrade ;-) Eric On Sunday 25 July 2004 15:36, Michel Messerschmidt wrote:
You can delete signatures from a key with the "delsig" command in the "edit" menu: ~> gpg --no-options --no-default-keyring --keyring temp.gpg --recv-keys [id] ~> gpg --no-options --no-default-keyring --keyring temp.gpg --edit [id] Command> uid 1 Command> delsig
Now answer "y" to all signatures execpt the self-signatures. Repeat this for all UIDs.
Command> save ~> gpg --no-options --no-default-keyring --keyring temp.gpg -a -o temp.asc --export [id] ~> rpm --import temp.asc
Or maybe you should ask the package maintainer to provide a public key that works with rpm :-)
-- Michel Messerschmidt lists@michel-messerschmidt.de antiVirusTestCenter, Computer Science, University of Hamburg
-- eric.seynaeve@advalvas.be long GPG key id: B0BDB695395DDBFC key fingerprint: B207 1531 4D18 7142 7ED2 B835 B0BD B695 395D DBFC
On Monday 26 July 2004 21:25, Eric Seynaeve wrote:
Why did the rpm people dump the connection with gpg? This is making things a little (?) complicated. You have to destroy your web of trust in order to make rpm work?
And even then it doesn't work (after stripping all additional ID's and signatures). I have an old RSA key (dates back to 1993) which rpm refuses to import. With the same non-descriptive message "import failed". Could it be that rpm doesn't like such an old beast? Best regards, Arjen
participants (3)
-
Arjen de Korte -
Eric Seynaeve -
Michel Messerschmidt