The following packages from 3.5 do not appear to be signed properly: db4-4.1.25-8.1.i386.rpm db4-devel-4.1.25-8.1.i386.rpm dump-0.4b37-1E.i386.rpm crash-3.10-10.centos.0.i386.rpm db4-java-4.1.25-8.1.i386.rpm
I checked on a CentOS-2 and CentOS-3 box.
sample problem: $ rpm -vK i386/crash-3.10-10.centos.0.i386.rpm i386/crash-3.10-10.centos.0.i386.rpm: MD5 sum mismatch Expected: 8e030692acbc9af9b7ced6a729410c42 Saw : a27b0ab402bf38be5ae6bf195ca0c355 gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Wed 25 May 2005 20:44:30 EST using DSA key ID 025E513B gpg: BAD signature from "CentOS-3 Key centos-3key@caosity.org"
$ rpm -Kv db4-4.1.25-8.1.i386.rpm db4-4.1.25-8.1.i386.rpm: Header V3 DSA signature: OK, key ID 025e513b Header SHA1 digest: OK (b07a40eedbd1cf5e4703c2164a33af213b6473a3) MD5 digest: BAD Expected(8bcaf8d8b087898cf835d9e6bba73766) != (2023f31e90546d87a3e31714a77f3af3) V3 DSA signature: BAD, key ID 025e513b
John.
I downloaded them from a different mirror and they check out OK. Does someone want to try: http://mirror.pacific.net.au/linux/CentOS/3.5/os/i386 and see if they are OK on that mirror. I am using an http proxy which could be causing a problem.
John.
John Newbigin wrote:
The following packages from 3.5 do not appear to be signed properly: db4-4.1.25-8.1.i386.rpm db4-devel-4.1.25-8.1.i386.rpm dump-0.4b37-1E.i386.rpm crash-3.10-10.centos.0.i386.rpm db4-java-4.1.25-8.1.i386.rpm
I checked on a CentOS-2 and CentOS-3 box.
sample problem: $ rpm -vK i386/crash-3.10-10.centos.0.i386.rpm i386/crash-3.10-10.centos.0.i386.rpm: MD5 sum mismatch Expected: 8e030692acbc9af9b7ced6a729410c42 Saw : a27b0ab402bf38be5ae6bf195ca0c355 gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Wed 25 May 2005 20:44:30 EST using DSA key ID 025E513B gpg: BAD signature from "CentOS-3 Key centos-3key@caosity.org"
$ rpm -Kv db4-4.1.25-8.1.i386.rpm db4-4.1.25-8.1.i386.rpm: Header V3 DSA signature: OK, key ID 025e513b Header SHA1 digest: OK (b07a40eedbd1cf5e4703c2164a33af213b6473a3) MD5 digest: BAD Expected(8bcaf8d8b087898cf835d9e6bba73766) != (2023f31e90546d87a3e31714a77f3af3) V3 DSA signature: BAD, key ID 025e513b
John.
On Wed, 2005-06-15 at 16:51 +1000, John Newbigin wrote:
I downloaded them from a different mirror and they check out OK. Does someone want to try: http://mirror.pacific.net.au/linux/CentOS/3.5/os/i386 and see if they are OK on that mirror. I am using an http proxy which could be causing a problem.
I think they have a bad sync or tampered files:
I downloaded it from a machine at duke, not behind a proxy.
rpm -K -v db4-4.1.25-8.1.i386.rpm db4-4.1.25-8.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 025e513b Header SHA1 digest: OK (b07a40eedbd1cf5e4703c2164a33af213b6473a3) MD5 digest: BAD Expected(8bcaf8d8b087898cf835d9e6bba73766) != (2023f31e90546d87a3e31714a77f3af3) V3 DSA signature: BAD, key ID 025e513b
it's not just you.
-sv
On Wed, 2005-06-15 at 02:55 -0400, seth vidal wrote:
On Wed, 2005-06-15 at 16:51 +1000, John Newbigin wrote:
I downloaded them from a different mirror and they check out OK. Does someone want to try: http://mirror.pacific.net.au/linux/CentOS/3.5/os/i386 and see if they are OK on that mirror. I am using an http proxy which could be causing a problem.
I think they have a bad sync or tampered files:
I downloaded it from a machine at duke, not behind a proxy.
rpm -K -v db4-4.1.25-8.1.i386.rpm db4-4.1.25-8.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 025e513b Header SHA1 digest: OK (b07a40eedbd1cf5e4703c2164a33af213b6473a3) MD5 digest: BAD Expected(8bcaf8d8b087898cf835d9e6bba73766) != (2023f31e90546d87a3e31714a77f3af3) V3 DSA signature: BAD, key ID 025e513b
it's not just you.
-sv
Looks like the last rsync on the site is from 12-Jun-2005 07:11 (front page timestamp) so the content is possibly out of date.
Looking specifically at db4-4.1.25-8.1.i386.rpm, I get this from that mirror:
db4-4.1.25-8.1.i386.rpm: (sha1) dsa sha1 MD5 GPG NOT OK
and this from mirror.centos.org:
db4-4.1.25-8.1.i386.rpm: (sha1) dsa sha1 md5 gpg OK
(I also checked the file on 5 individual mirrors that are in the mirror.centos.org rrdns entry ... it was good on all 5)
So it seems that the files in question rsynced improperly and haven't been corrected.
It could be (if they have a slow connection or are using a rsync switch to limit bandwidth) that they are still downloading the 3.5 x86_64 and 4.1 i386/ia64 trees with ISOs and haven't had another rsync yet to clear it up.
I'll send an e-mail to the POC we have for the server and let them know.
-
John Newbigin -
Johnny Hughes -
seth vidal