[Yum-devel] signature checking issue if key is installed during session

Hans-Peter Jansen hpj at urpla.net
Fri Feb 8 10:22:27 UTC 2008


Am Freitag, 8. Februar 2008 schrieb seth vidal:
> On Thu, 2008-02-07 at 16:06 +0100, Hans-Peter Jansen wrote:
> > Hi again,
> >
> > I want to report a rather long standing problem with signature
> > checking: if the key is given via a gpgkey= option and gets installed
> > during the session, yum still fails with a "not installed" error:
> >
> > Downloading Packages:
> > warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID
> > bbad14ef Importing GPG key 0xBBAD14EF "OpenOffice.org OBS Project
> > <OpenOffice.org at build.opensuse.org>" from
> > http://download.opensuse.org/repositories/OpenOffice.org:/STABLE/openSU
> >SE_10.2/repodata/repomd.xml.key Is this ok [y/N]: y
> >
> >
> > Public key for OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm is not installed
> >
> > Looking into it, could this be related with
> > rpmUtils.miscutils.checkSig() running under a self.rpmdb.readOnlyTS()
> > in yum/__init__.py?
> >
> > I would understand the read only transaction as non modifiable, and
> > installing a key is a modification. But that doesn't explain, why yum
> > doesn't complain about a missing key on the next run..
> >
> > Is this a well known problem?
>
> Never even remotely heard of it.
>
> Can you  make sure you have all the keys installed in the rpmdb with:
> rpm -qa gpg-pubkey
>
> then check the package OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm with:
>
> rpm -K -v OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm

Seth, thanks for your answer, but I fear, you got me wrong. 

Look at this script session (comments starts with ###, some output replaced 
with [...] for better palatability):

Script wurde gestartet: Fr 08 Feb 2008 10:50:05 CET
### prepare to show the problem
pitu3:~# rpm -qa gpg-pubkey | grep bbad14ef
gpg-pubkey-bbad14ef-4796561d
pitu3:~# rpm -e gpg-pubkey-bbad14ef-4796561d
pitu3:~# rpm -e OpenOffice_org-kde
pitu3:~# rpm -K -v OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm
OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm:
    Header V3 DSA signature: NOKEY, key ID bbad14ef
    Header SHA1 digest: OK (d02f486c121338963e5d43e8e0e44c3a7b50fad1)
    MD5 digest: OK (3957d68e0ac7395813b8a98f1102f93b)
    V3 DSA signature: NOKEY, key ID bbad14ef
### ready for take off
pitu3:~# yum install OpenOffice_org-kde
ooo                       100% |=========================|  951 B    00:00     
update                    100% |=========================|  951 B    00:00     
base                      100% |=========================|  951 B    00:00     
[...]
Excluding Packages from SuSE 10.2 - Base
Finished
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package OpenOffice_org-kde.i586 0:2.3.1.2-1.2 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size 
=============================================================================
Installing:
 OpenOffice_org-kde      i586       2.3.1.2-1.2      ooo               329 k

Transaction Summary
=============================================================================
Install      1 Package(s)         
Update       0 Package(s)         
Remove       0 Package(s)         

Total download size: 329 k
Is this ok [y/N]: y
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID bbad14ef
Importing GPG key 0xBBAD14EF "OpenOffice.org OBS Project <OpenOffice.org at build.opensuse.org>" from 
http://download.opensuse.org/repositories/OpenOffice.org:/STABLE/openSUSE_10.2/repodata/repomd.xml.key
Is this ok [y/N]: y
### okay, this was all expected, since we removed the key in order to
### force yum to reinstall it, but now that:


Public key for OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm is not installed
### yum didn't find the installed key, but the key is installed:
pitu3:~# rpm -qa gpg-pubkey | grep bbad14ef
gpg-pubkey-bbad14ef-4796561d
### ..and is accepted by rpm
pitu3:~# rpm -K -v OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm
OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm:
    Header V3 DSA signature: OK, key ID bbad14ef
    Header SHA1 digest: OK (d02f486c121338963e5d43e8e0e44c3a7b50fad1)
    MD5 digest: OK (3957d68e0ac7395813b8a98f1102f93b)
    V3 DSA signature: OK, key ID bbad14ef
### consequently, yum succeeds in the second run
pitu3:~# yum install OpenOffice_org-kde
[...]
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package OpenOffice_org-kde.i586 0:2.3.1.2-1.2 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size 
=============================================================================
Installing:
 OpenOffice_org-kde      i586       2.3.1.2-1.2      ooo               329 k

Transaction Summary
=============================================================================
Install      1 Package(s)         
Update       0 Package(s)         
Remove       0 Package(s)         

Total download size: 329 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing:  OpenOffice_org-kde           ######################### [1/1] 

Installed: OpenOffice_org-kde.i586 0:2.3.1.2-1.2
Complete!
pitu3:~# exit

Script beendet: Fr 08 Feb 2008 10:52:38 CET

In spite of the fact that yum installed the key in a correct way, it failed to
use it in the same session, and succeeds in subsequent sessions only. 

Now imagine, that you need to set up a new machine with say, 20 missing keys.
That leads to a very boring work flow.

I cannot believe, that this behavior is due to my setup.

Pete



More information about the Yum-devel mailing list