Mailinglist Archive: opensuse-security (32 mails)

< Previous Next >
Re: [opensuse-security] Packages from "update" (11.0) unsigned?
  • From: Werner Flamme <werner.flamme@xxxxxx>
  • Date: Wed, 21 Jan 2009 11:50:57 +0100
  • Message-id: <4976FE11.8050101@xxxxxx>
Ludwig Nussel [21.01.2009 10:31]:
Werner Flamme wrote:
I noticed that for the last 5(?) times I got unsigned packes from the
<http://download.opensuse.org/updates/11.0> repository. As far as I
know, these are security updates - shouldn't they be signed?

Of course. Which ones are not signed? Looking at random samples on
our staging server everything looks fine.

cu
Ludwig


Ludwig,

sorry, I was looking at 11.1 update repo, not 11.0.

Apt told me - for example - packages xrdp and autofs were unsigned. Now
I see:
# rpm --checksig autofs_5.0.3-82.28.1_x86%5f64.rpm
autofs_5.0.3-82.28.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK
# rpm --checksig xrdp_0.4.1-16.6.1_x86%5f64.rpm
xrdp_0.4.1-16.6.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK

Hm... what does rpm know that apt doesn't? And why does apt
(apt-0.5.15lorg3.2-123.14) cry about "unsigned", when it is signed?

On a 11.0 box, the checks tell:
# rpm --checksig autofs-5.0.3-82.28.1.x86_64.rpm
autofs-5.0.3-82.28.1.x86_64.rpm: RSA sha1 (MD5) (PGP) md5 NOT OK
(MISSING KEYS: PGP#3dbdc284)
# rpm --checksig xrdp-0.4.1-16.6.1.x86_64.rpm
xrdp-0.4.1-16.6.1.x86_64.rpm: RSA sha1 (MD5) (PGP) md5 NOT OK (MISSING
KEYS: PGP#3dbdc284)

OK, the key may be specific to 11.1. Normally, apt tells me that a
package is signed with an unknown key... This may be the case on the
11.1 box:
# gpg --list-keys --no-default-keyring --keyring
/usr/lib/rpm/gnupg/pubring.gpg 3dbdc284
pub 2048R/3DBDC284 2008-11-07 [verfällt: 2010-11-07]
uid openSUSE Project Signing Key <opensuse@xxxxxxxxxxxx>
# gpg --list-keys | grep -i 3dbdc284
#

So I think I get a "wrong error", apt tells me the packages are unsigned
while they are signed with a key unknown to apt (since apt uses the
default keyring for root, not /usr/lib/rpm/gnupg/pubring.gpg).

Sorry to disturb you for nothing :-(. I will see what happens with the
next updates, when the standard gpg database knows the build key.

Regards,
Werner
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups