Howdy folks,
$ cd /opt/mirrors/centos/4.2 $ find -type f | grep ".rpm" | while read i; do rpm -K "$i"; done | egrep -v ": (sha1) dsa sha1 md5 gpg OK$"
centosplus/SRPMS/reiserfs-utils-3.6.19-2.1.src.rpm: sha1 md5 OK extras/SRPMS/drbd-0.7.14-1.centos4.src.rpm: sha1 md5 OK extras/SRPMS/ipvsadm-1.24-6.src.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#db42a60e) updates/SRPMS/ethereal-0.10.13-1.EL4.1.src.rpm: sha1 md5 OK
The previous packages seem to lack gpg signatures (and ipvsadm seems to have a signature unlike all the other packages...)
Cheers, MaZe.
On Sat, 2005-12-31 at 14:38 +0100, Maciej Żenczykowski wrote:
extras/SRPMS/ipvsadm-1.24-6.src.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#db42a60e)
(and ipvsadm seems to have a signature unlike all the other packages...)
What's worse is that it's a *Red Hat* key...
[ignacio@ignacio ~]$ gpg /etc/pki/rpm-gpg/RPM-GPG-KEY pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc security@redhat.com sub 2048g/961630A2 1999-09-23 [ignacio@ignacio ~]$
What's worse is that it's a *Red Hat* key...
Not sure if that's bad - it's only a SRPMS after all, I'm not even convinced that un-modified SRPMS should be resigned by CentOS (after all what for?)
[ignacio@ignacio ~]$ gpg /etc/pki/rpm-gpg/RPM-GPG-KEY pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc security@redhat.com sub 2048g/961630A2 1999-09-23
I thought I'd seen those 8 hexdigits before... :)
Cheers, MaZe.
On Sat, 2005-12-31 at 15:00 +0100, Maciej Żenczykowski wrote:
What's worse is that it's a *Red Hat* key...
Not sure if that's bad - it's only a SRPMS after all, I'm not even convinced that un-modified SRPMS should be resigned by CentOS (after all what for?)
Well ... we have discussed this, and we do wish to sign the SRPMS so we know they are the ones we used. There are other distros that do not resign the SRPMS.
The ones you mentioned are now replaced and going to the mirrors.
Thanks, Johnny Hughes
-
Ignacio Vazquez-Abrams -
Johnny Hughes -
Maciej Żenczykowski