going nuts with rpm --checksig / gpg, works on suse 7.3, doesnt work on suse 8.0
hi all, gpg / rpm --checksig are driving me crazy.... i have two systems... suse 7.3 the one, suse 8.0 the other... i have downloaded to both systems the latest webmin 1.060 webmin-1.060-1.noarch.rpm, and they gpg/pgp key from the author http://switch.dl.sourceforge.net/sourceforge/webadmin/webmin-1.060-1.noarch.... http://www.webmin.com/jcameron-key.asc the problem is, the one system gives me errors when rpm --checksig webmin-1.060-1.noarch.rpm the other system works fine... both have gpg installed and i have imported the public key of the webmin author... i dont see any difference... see here: the correctly working system (suse 7.3) # gpg --list-keys -v /root/.gnupg/pubring.gpg ------------------------ gpg: NOTE: signature key 9C800ACA expired Sat Oct 19 15:17:53 2002 CEST pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> gpg: NOTE: signature key 9C800ACA expired Sat Oct 19 15:17:53 2002 CEST sig 9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> sub 2048g/8495160C 2000-10-19 [expires: 2002-10-19] sig 9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> pub 1024D/11F63C51 2002-02-28 Jamie Cameron <jcameron@webmin.com> sig 11F63C51 2002-02-28 Jamie Cameron <jcameron@webmin.com> sub 1024g/1B24BE83 2002-02-28 sig 11F63C51 2002-02-28 Jamie Cameron <jcameron@webmin.com> --------------- then rpm: # rpm --checksig webmin-1.060-1.noarch.rpm -v webmin-1.060-1.noarch.rpm: MD5 sum OK: 547eb528952c96eec64ae3910e9c5aa5 gpg: Signature made Wed Feb 5 00:48:41 2003 CET using DSA key ID 11F63C51 gpg: Good signature from "Jamie Cameron <jcameron@webmin.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: 1719 003A CE3E 5A41 E2DE 70DF D97A 3AE9 11F6 3C51 everything fine here, signature's been correctly checked on the suse 7.3 system... ------------------------------------------------------------------------- ------------------------------------------------------------------------- now in contrast the suse 8.0 system: # gpg --list-keys -v /root/.gnupg/pubring.gpg ------------------------ pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de> sig B1CA3C45 1999-03-06 [User id not found] sig 3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de> sig 000AABA4 2001-06-06 [User id not found] sig CEFC9215 1999-08-15 [User id not found] sig B0DFF780 2000-11-21 [User id not found] pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> sig 9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> sig 000AABA4 2001-01-25 [User id not found] sig 3D25D3D9 2001-01-25 SuSE Security Team <security@suse.de> sig 9C800ACA 2002-02-13 SuSE Package Signing Key <build@suse.de> sub 2048g/8495160C 2000-10-19 [expires: 2006-02-12] sig 9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> sig 9C800ACA 2002-02-13 SuSE Package Signing Key <build@suse.de> pub 1024D/AFB66D7C 2002-04-28 fou4s build key <fou4s@gaugusch.at> sig AFB66D7C 2002-04-28 fou4s build key <fou4s@gaugusch.at> sub 1024g/8B6432D7 2002-04-28 sig AFB66D7C 2002-04-28 fou4s build key <fou4s@gaugusch.at> pub 1024D/11F63C51 2002-02-28 Jamie Cameron <jcameron@webmin.com> sig 11F63C51 2002-02-28 Jamie Cameron <jcameron@webmin.com> sub 1024g/1B24BE83 2002-02-28 sig 11F63C51 2002-02-28 Jamie Cameron <jcameron@webmin.com> ------------- now the rpm output: rpm -v --checksig webmin-1.060-1.noarch.rpm webmin-1.060-1.noarch.rpm: MD5 sum OK: 547eb528952c96eec64ae3910e9c5aa5 gpg: Signature made Wed Feb 5 00:48:41 2003 CET using DSA key ID 11F63C51 gpg: Can't check signature: public key not found ---------------- jeez... am i stupid or not seeing the problem here? what the heck.... the pub key of jcameron@webmin.com is there on both systems... so what the heck is wrong here??? the md5 hash key is the very same on both systems, so the downloaded files are exactly the same... so why the heck cant suse 8.0 verify the file then???? can anyone help?? thanks and regards, andy
On Feb 7, Andreas Bittner <bittner@rz.fh-heilbronn.de> wrote:
hi all,
gpg / rpm --checksig are driving me crazy....
i have two systems... suse 7.3 the one, suse 8.0 the other... [...] the problem is, the one system gives me errors when rpm --checksig webmin-1.060-1.noarch.rpm the other system works fine... both have gpg installed and i have imported the public key of the webmin author... i dont see any difference... [...] sig B1CA3C45 1999-03-06 [User id not found] You must import the key into the keyring of the RPM system export GPGHOME=/usr/lib/rpm/gpg ... import the key ...
If you had done sig checking NOT AS ROOT, it would have worked. It's not a bug, it's a feature ... ;) Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
----- Original Message ----- From: "Markus Gaugusch" <markus@gaugusch.at> To: "SuSE-Security" <suse-security@suse.com> Sent: Friday, February 07, 2003 8:30 PM Subject: Re: [suse-security] going nuts with rpm --checksig / gpg, works on suse 7.3, doesnt work on suse 8.0
On Feb 7, Andreas Bittner <bittner@rz.fh-heilbronn.de> wrote:
hi all,
gpg / rpm --checksig are driving me crazy....
i have two systems... suse 7.3 the one, suse 8.0 the other... [...] the problem is, the one system gives me errors when rpm --checksig webmin-1.060-1.noarch.rpm the other system works fine... both have gpg installed and i have imported the public key of the webmin author... i dont see any difference... [...] sig B1CA3C45 1999-03-06 [User id not found] You must import the key into the keyring of the RPM system export GPGHOME=/usr/lib/rpm/gpg ... import the key ... If you had done sig checking NOT AS ROOT, it would have worked. hmm dont understand...
during execution i was root on both systems... what has changed from suse 7.3 to 8.0?? i havent been using gpg/rpm with a normal user account at all... all the pub keys have been imported to the root keyrings... the normal users have never been using gpg... gpg --list-keys returns empty stuff.... so why does it work with suse 7.3 but doesnt work with suse 8.0.... i mean the key from the webmin author IS THERE in the keyring of root on both systems... what the heck does it tell me it cant find the pub key then on the 8.0 system ????
during execution i was root on both systems... what has changed from suse 7.3 to 8.0?? i havent been using gpg/rpm with a normal user account at all... all the pub keys have been imported to the root keyrings... the normal users have never been using gpg... Yes it has changed between 7.3 and 8.0. rpm --verify uses NOT the keyring of root (if run as root), but the keyring in /usr/lib/rpm/gnupg. (Sorry, had a type in last mail. this
On Feb 7, Andreas Bittner <bittner@rz.fh-heilbronn.de> wrote: directory is right)
i mean the key from the webmin author IS THERE in the keyring of root on both systems... what the heck does it tell me it cant find the pub key then on the 8.0 system ???? As I said, it changed and 8.0 doesn't use root's keyring.
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
participants (2)
-
Andreas Bittner -
Markus Gaugusch