![](https://seccdn.libravatar.org/avatar/2435cea10bbea2f899b34c83e9e59223.jpg?s=120&d=mm&r=g)
Hello Suse people, No, not wisecracks. An answer to why smart won't install upgraded packages because it needs a gpg key. I posed this same question a couple of weeks ago and two replies were to ignore it. Wellll..that don't work. It wants a key. I joined the labix.org wiki and the same exact thing posted over 7 days ago without a reply. I saw a suggestion from Richard Bos pertaining to keys somewhat, and maybe to this question, After that I saw a reply that they were going to include it. Waited about a week, saw there was a revision to the four smart packages, downloaded them and installed them. Same problem. Won't install the packages without the keys. The error message says that smart imported the key successfully but then errors out saying a public key is not avasilable. Don't really understand this nor do I know how to verify a fingerprint. Getting very frustrating. I can't be the only one with this problem. Maybe what is obvious and simple for others is lost to me. Following is the message if someone wants to read it. ------------------------------------------------------------------------------ Committing transaction... warning: rpmts_HdrFromFdno: V3 DSA signature: NOKEY, key ID 5277a2fa Trying to import the key 888366c05277a2fa from subkeys.pgp.net... gpg: requesting key 5277A2FA from hkp server subkeys.pgp.net gpg: key 5277A2FA: "Manfred Tremmel <Manfred.Tremmel@iiv.de>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 The above GPG key has been imported successfully. It is required to install this package: alsa-firmware-1.0.12-0.pm.1.noarch.rpm Do you want to trust this key forever? You must verify the below fingerprint before answering. pub 1024D/5277A2FA 1999-07-26 [expires: 2099-12-31] Key fingerprint = 5296 01E5 5911 A1DC 93D4 45D5 8883 66C0 5277 A2FA uid Manfred Tremmel <Manfred.Tremmel@iiv.de> sub 3072g/81D6CA10 1999-07-26 If you answer "Yes" all other packages signed with this key will be installed automatically. (y/N): y error: alsa-firmware-1.0.12-0.pm.1.noarch.rpm: public key not available EasyStreet:/ # ----------------------------------------------------------------- Bob S.
![](https://seccdn.libravatar.org/avatar/7574aaee71d8971a36f4283a7cad6b2c.jpg?s=120&d=mm&r=g)
* Bob S <usr@sanctum.com> [09-14-06 17:01]:
No, not wisecracks. An answer to why smart won't install upgraded packages because it needs a gpg key. I posed this same question a couple of weeks ago and two replies were to ignore it. Wellll..that don't work. It wants a key.
two ways smart config --set rpm-check-signatures=False and/or edit /usr/lib/smart/distro.py change line 7 True to False -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery2
![](https://seccdn.libravatar.org/avatar/2435cea10bbea2f899b34c83e9e59223.jpg?s=120&d=mm&r=g)
On Thursday 14 September 2006 17:48, Patrick Shanahan wrote:
* Bob S <usr@sanctum.com> [09-14-06 17:01]:
No, not wisecracks. An answer to why smart won't install upgraded packages because it needs a gpg key. I posed this same question a couple of weeks ago and two replies were to ignore it. Wellll..that don't work. It wants a key.
two ways
smart config --set rpm-check-signatures=False
and/or
edit /usr/lib/smart/distro.py change line 7 True to False
Thank You Patrick This mail gets saved in the Important/Last Resort file. Was hoping that someone could answer why. Used to work perfectly. Bob S.
![](https://seccdn.libravatar.org/avatar/ee33f238289b12d61dc71dc21a520124.jpg?s=120&d=mm&r=g)
On Thu, 14 Sep 2006 17:03:35 -0400 Bob S <usr@sanctum.com> wrote:
The error message says that smart imported the key successfully but then errors out saying a public key is not avasilable. Don't really understand this nor do I know how to verify a fingerprint. Getting very frustrating. I can't be the only one with this problem. Maybe what is obvious and simple for others is lost to me.
Does your system happen to access the network through a proxy ? I believe the "internal" gpg call made by smart has problems if there is a proxy in the transmission path. mikus
![](https://seccdn.libravatar.org/avatar/72ee3b9e0735cf98a1e936a90fc087ed.jpg?s=120&d=mm&r=g)
On Thursday 14 September 2006 23:03, Bob S wrote:
Hello Suse people,
No, not wisecracks. An answer to why smart won't install upgraded packages because it needs a gpg key. I posed this same question a couple of weeks ago and two replies were to ignore it. Wellll..that don't work. It wants a key.
There is a reason why the packages are signed. If you keep installing packages from untrusted sources, you forfeit all future rights to complain about non-working systems for all times in perpetuity The solution is simple: either get the key (if you know and trust the publisher) and import it into rpm, or don't install the package. This is not a wisecrack, this is the reality of life on the internet
![](https://seccdn.libravatar.org/avatar/2435cea10bbea2f899b34c83e9e59223.jpg?s=120&d=mm&r=g)
On Thursday 14 September 2006 17:57, Anders Johansson wrote:
On Thursday 14 September 2006 23:03, Bob S wrote:
Hello Suse people,
No, not wisecracks. An answer to why smart won't install upgraded packages because it needs a gpg key. I posed this same question a couple of weeks ago and two replies were to ignore it. Wellll..that don't work. It wants a key.
There is a reason why the packages are signed.
If you keep installing packages from untrusted sources, you forfeit all future rights to complain about non-working systems for all times in perpetuity
Thanks Anders, You are preaching to the preacher.
The solution is simple: either get the key (if you know and trust the publisher) and import it into rpm, or don't install the package.
Not simple at all. If you read the error message it states that the key was successfully imported. Down at the bottom of the message it states" no public key available" Is there some other key that I need? As per "don't install" that is not possible if I want/need to upgrade. It effects every package in the repository. Don't understand it. Used to work.
This is not a wisecrack, this is the reality of life on the internet
Like I said, preach to the preacher. Bob S. PS to Mikus, Nope no network involved.
![](https://seccdn.libravatar.org/avatar/72ee3b9e0735cf98a1e936a90fc087ed.jpg?s=120&d=mm&r=g)
On Friday 15 September 2006 04:22, Bob S wrote:
Thanks Anders,
You are preaching to the preacher.
I'm glad to hear it
The solution is simple: either get the key (if you know and trust the publisher) and import it into rpm, or don't install the package.
Not simple at all. If you read the error message it states that the key was successfully imported.
It does look odd. Have you tried adding a trust to the key in the keyring manually with gpg? Perhaps they want you to answer Yes instead of y, since the message says "If you answer "Yes"..." :)
![](https://seccdn.libravatar.org/avatar/2435cea10bbea2f899b34c83e9e59223.jpg?s=120&d=mm&r=g)
On Friday 15 September 2006 15:19, Anders Johansson wrote:
On Friday 15 September 2006 04:22, Bob S wrote:
Thanks Anders,
You are preaching to the preacher.
I'm glad to hear it
The solution is simple: either get the key (if you know and trust the publisher) and import it into rpm, or don't install the package.
Not simple at all. If you read the error message it states that the key was successfully imported.
It does look odd. Have you tried adding a trust to the key in the keyring manually with gpg?
Hello Anders, Sorry for the slow reply. Had a family emergency with one of my children. There is life beyond SuSE Linux. Anyway, don't know how to add "trust" to the key in the keyring. I have no gpg at all running on this computer. I go on line download my email and go off line. Rarely surf the Internet except for stuff that is brought up in the lists. and shut down when I am finished. Maybe on-line 15 or 20 minutes a day. Didn't think I would need gpg, and have a firewall on my router.
Perhaps they want you to answer Yes instead of y, since the message says "If you answer "Yes"..." :)
Welllllll.... I tried it two ways. At the CLI I would type "y" but at the smart GUI there is a little box marked "yes" which I would click on. Both ways failed. This is getting "hairy" now because I have two versions of some uploaded and updated packages in the cache which are eligible for upgrade. One slightly newer than the other. Guess I will have to review them package by package to delete the oldest version. Could this problem be that I don't have the basic gpg packages installed? Bob S.
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2006-09-19 at 01:32 -0400, Bob S wrote:
Could this problem be that I don't have the basic gpg packages installed?
I don't think so, dependencies would have forced installation of those if necesary. But you can try. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFD8ldtTMYHG2NR9URAnGVAJ4qIROmyZF/adha8Q4ue4cxlIge5gCfRdX1 EYG7MAE8mFZ/L7wWT6p3ZcU= =vOZb -----END PGP SIGNATURE-----
![](https://seccdn.libravatar.org/avatar/d8f80b5863f8017700865ee38b69d4c0.jpg?s=120&d=mm&r=g)
On Thursday 14 September 2006 22:57, Anders Johansson wrote:
The solution is simple: either get the key (if you know and trust the publisher) and import it into rpm, or don't install the package.
Well funnily enough, I ran into this yesterday, while trying to install pwmanager (from Backports). I've been using Smart for a couple of years without this coming up, but clearly things are now moving that way. However, I think that if people are starting to do this, they could at least put a message somewhere that tells users how to handle these new requirements. The aptly-named Guru (Pascal Bleser, respect is due), who has started signing his packages, has a simple one-line instruction on his front page telling you what you need to do. I spent two hours yesterday googling and opensusing for something similar for the SUSE packages, but in the end I just turned off package-checking and installed the darned package. There's no point having good security if finding out how it is supposed to work means that people turn it off. The best I could find was on: http://download.opensuse.org/distribution/SL-10.0-OSS/inst-source/ where there are four .asc files which seem to be some sort of key. Will they do the trick? I don't know. Should one of them be installed, or all four? I don't know. At some point I will try, but not today. -- Pob hwyl / Best wishes Kevin Donnelly www.kyfieithu.co.uk - KDE yn Gymraeg www.eurfa.org.uk - Geiriadur rhydd i'r Gymraeg www.rhedadur.org.uk - Rhedeg berfau Cymraeg www.cymrux.org.uk - Linux Cymraeg ar un CD
participants (6)
-
Anders Johansson
-
Bob S
-
Carlos E. R.
-
Kevin Donnelly
-
mikus@bga.com
-
Patrick Shanahan