[Yum-devel] signature checking issue if key is installed during session
Hans-Peter Jansen
hpj at urpla.net
Fri Feb 8 10:22:27 UTC 2008
Am Freitag, 8. Februar 2008 schrieb seth vidal:
> On Thu, 2008-02-07 at 16:06 +0100, Hans-Peter Jansen wrote:
> > Hi again,
> >
> > I want to report a rather long standing problem with signature
> > checking: if the key is given via a gpgkey= option and gets installed
> > during the session, yum still fails with a "not installed" error:
> >
> > Downloading Packages:
> > warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID
> > bbad14ef Importing GPG key 0xBBAD14EF "OpenOffice.org OBS Project
> > <OpenOffice.org at build.opensuse.org>" from
> > http://download.opensuse.org/repositories/OpenOffice.org:/STABLE/openSU
> >SE_10.2/repodata/repomd.xml.key Is this ok [y/N]: y
> >
> >
> > Public key for OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm is not installed
> >
> > Looking into it, could this be related with
> > rpmUtils.miscutils.checkSig() running under a self.rpmdb.readOnlyTS()
> > in yum/__init__.py?
> >
> > I would understand the read only transaction as non modifiable, and
> > installing a key is a modification. But that doesn't explain, why yum
> > doesn't complain about a missing key on the next run..
> >
> > Is this a well known problem?
>
> Never even remotely heard of it.
>
> Can you make sure you have all the keys installed in the rpmdb with:
> rpm -qa gpg-pubkey
>
> then check the package OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm with:
>
> rpm -K -v OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm
Seth, thanks for your answer, but I fear, you got me wrong.
Look at this script session (comments starts with ###, some output replaced
with [...] for better palatability):
Script wurde gestartet: Fr 08 Feb 2008 10:50:05 CET
### prepare to show the problem
pitu3:~# rpm -qa gpg-pubkey | grep bbad14ef
gpg-pubkey-bbad14ef-4796561d
pitu3:~# rpm -e gpg-pubkey-bbad14ef-4796561d
pitu3:~# rpm -e OpenOffice_org-kde
pitu3:~# rpm -K -v OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm
OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm:
Header V3 DSA signature: NOKEY, key ID bbad14ef
Header SHA1 digest: OK (d02f486c121338963e5d43e8e0e44c3a7b50fad1)
MD5 digest: OK (3957d68e0ac7395813b8a98f1102f93b)
V3 DSA signature: NOKEY, key ID bbad14ef
### ready for take off
pitu3:~# yum install OpenOffice_org-kde
ooo 100% |=========================| 951 B 00:00
update 100% |=========================| 951 B 00:00
base 100% |=========================| 951 B 00:00
[...]
Excluding Packages from SuSE 10.2 - Base
Finished
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package OpenOffice_org-kde.i586 0:2.3.1.2-1.2 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
OpenOffice_org-kde i586 2.3.1.2-1.2 ooo 329 k
Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 329 k
Is this ok [y/N]: y
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID bbad14ef
Importing GPG key 0xBBAD14EF "OpenOffice.org OBS Project <OpenOffice.org at build.opensuse.org>" from
http://download.opensuse.org/repositories/OpenOffice.org:/STABLE/openSUSE_10.2/repodata/repomd.xml.key
Is this ok [y/N]: y
### okay, this was all expected, since we removed the key in order to
### force yum to reinstall it, but now that:
Public key for OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm is not installed
### yum didn't find the installed key, but the key is installed:
pitu3:~# rpm -qa gpg-pubkey | grep bbad14ef
gpg-pubkey-bbad14ef-4796561d
### ..and is accepted by rpm
pitu3:~# rpm -K -v OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm
OpenOffice_org-kde-2.3.1.2-1.2.i586.rpm:
Header V3 DSA signature: OK, key ID bbad14ef
Header SHA1 digest: OK (d02f486c121338963e5d43e8e0e44c3a7b50fad1)
MD5 digest: OK (3957d68e0ac7395813b8a98f1102f93b)
V3 DSA signature: OK, key ID bbad14ef
### consequently, yum succeeds in the second run
pitu3:~# yum install OpenOffice_org-kde
[...]
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package OpenOffice_org-kde.i586 0:2.3.1.2-1.2 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
OpenOffice_org-kde i586 2.3.1.2-1.2 ooo 329 k
Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 329 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: OpenOffice_org-kde ######################### [1/1]
Installed: OpenOffice_org-kde.i586 0:2.3.1.2-1.2
Complete!
pitu3:~# exit
Script beendet: Fr 08 Feb 2008 10:52:38 CET
In spite of the fact that yum installed the key in a correct way, it failed to
use it in the same session, and succeeds in subsequent sessions only.
Now imagine, that you need to set up a new machine with say, 20 missing keys.
That leads to a very boring work flow.
I cannot believe, that this behavior is due to my setup.
Pete
More information about the Yum-devel
mailing list