Mailinglist Archive: opensuse-security (88 mails)

< Previous Next >
Unverifiable GPG Signatures
  • From: Bernie Hoefer <SuSE-User01@xxxxxxxxxxxxxxxxx>
  • Date: Fri, 07 Apr 2006 11:25:09 -0500
  • Message-id: <44369265.5060702@xxxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Java2 and Java2-JRE 1.4.2-129.23 packages that were uploaded to
the SuSE FTP site on March 28th don't have the same version of GPG
signatures as previous Java2 packages. Thus, they cannot be verified.
(Or at least I do not know how to verify them.) For example, on one of
the packages that was released 2005-12-20:

===
> $ rpm --checksig ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/java2-1.4.2-129.19.i586.rpm
> ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/java2-1.4.2-129.19.i586.rpm: sha1 md5 gpg OK
===

I can verify the GPG signature. But on one of the packages that was
released 2006-03-28:

===
> $ rpm --checksig ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/java2-1.4.2-129.23.i586.rpm
> only V3 or V4 signatures can be verified, skipping V0 signature
> ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/java2-1.4.2-129.23.i586.rpm: sha1 md5 OK
===

- --
Bernie Hoefer
PGP e-mail is welcome! Get my 1024 bit signature key from:
<http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x446A6F93>.
"The more I know, the more I realize how much I do not understand."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFENpJbckGmqURqb5MRAlVaAJ4le5jc5HWhXWxkHKBQAz3iMxizOACeK2ra
yGkOg+nUFCTQLrgqe7kCILE=
=bnjS
-----END PGP SIGNATURE-----

< Previous Next >
Follow Ups