Howdy folks, $ cd /opt/mirrors/centos/4.2 $ find -type f | grep "\.rpm" | while read i; do rpm -K "$i"; done | egrep -v ": \(sha1\) dsa sha1 md5 gpg OK\$" centosplus/SRPMS/reiserfs-utils-3.6.19-2.1.src.rpm: sha1 md5 OK extras/SRPMS/drbd-0.7.14-1.centos4.src.rpm: sha1 md5 OK extras/SRPMS/ipvsadm-1.24-6.src.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#db42a60e) updates/SRPMS/ethereal-0.10.13-1.EL4.1.src.rpm: sha1 md5 OK The previous packages seem to lack gpg signatures (and ipvsadm seems to have a signature unlike all the other packages...) Cheers, MaZe.
Ignacio Vazquez-Abrams
2005-Dec-31 13:54 UTC
[CentOS] Missing GPG sigs on Centos 4.2 SRPMS
On Sat, 2005-12-31 at 14:38 +0100, Maciej ?enczykowski wrote:> extras/SRPMS/ipvsadm-1.24-6.src.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#db42a60e)> (and ipvsadm seems to > have a signature unlike all the other packages...)What's worse is that it's a *Red Hat* key... [ignacio at ignacio ~]$ gpg /etc/pki/rpm-gpg/RPM-GPG-KEY pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc <security at redhat.com> sub 2048g/961630A2 1999-09-23 [ignacio at ignacio ~]$ -- Ignacio Vazquez-Abrams <ivazquez at ivazquez.net> http://centos.ivazquez.net/ gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20051231/5edba766/attachment-0001.sig>
> What's worse is that it's a *Red Hat* key...Not sure if that's bad - it's only a SRPMS after all, I'm not even convinced that un-modified SRPMS should be resigned by CentOS (after all what for?)> [ignacio at ignacio ~]$ gpg /etc/pki/rpm-gpg/RPM-GPG-KEY > pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc <security at redhat.com> > sub 2048g/961630A2 1999-09-23I thought I'd seen those 8 hexdigits before... :) Cheers, MaZe.