Mailinglist Archive: opensuse-security (88 mails)

< Previous Next >
Re: [suse-security] Unverifiable GPG Signatures
  • From: Robert Schiele <rschiele@xxxxxxxxxxxxxxx>
  • Date: Sat, 8 Apr 2006 21:14:57 +0200
  • Message-id: <20060408191457.GR9680@xxxxxxxxxxxxxxxxxx>
On Fri, Apr 07, 2006 at 11:25:09AM -0500, Bernie Hoefer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The Java2 and Java2-JRE 1.4.2-129.23 packages that were uploaded to
> the SuSE FTP site on March 28th don't have the same version of GPG
> signatures as previous Java2 packages. Thus, they cannot be verified.
> (Or at least I do not know how to verify them.) For example, on one of
> the packages that was released 2005-12-20:
>
> ===
> > $ rpm --checksig ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/java2-1.4.2-129.19.i586.rpm
> > ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/java2-1.4.2-129.19.i586.rpm: sha1 md5 gpg OK
> ===
>
> I can verify the GPG signature. But on one of the packages that was
> released 2006-03-28:
>
> ===
> > $ rpm --checksig ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/java2-1.4.2-129.23.i586.rpm
> > only V3 or V4 signatures can be verified, skipping V0 signature
> > ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/java2-1.4.2-129.23.i586.rpm: sha1 md5 OK
> ===

https://bugzilla.novell.com/show_bug.cgi?id=160832

Robert

--
Robert Schiele Tel.: +49-621-181-2214
Dipl.-Wirtsch.informatiker mailto:rschiele@xxxxxxxxxxxxxxx

"Quidquid latine dictum sit, altum sonatur."
< Previous Next >
Follow Ups
References