Re: missing keys on yum update -- evolution-data-server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Joel Rees wrote:
Want to ping the list on this (copied by hand because I yummed from a virtual console instead of X11):
-----------------------
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2 Public key for evolution-data-server-1.6.2-1.fc5.1.i386.rpm is not installed
Retrieving GPG key from file :///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
Importing GPG key 0x4F2A6FD2 "Fedora Project <fedora@xxxxxxxxxx>"
------------------------
I found the key and fingerprint at
    http://fedora.redhat.com/About/security/
after some indirect searching and checked that the fingerprint and random pieces of the encoded key match.

What's the issue here?
Well, I had to drag my Mac Mini over next to the AMD box so I could look at the ID and the public key referenced and then look them up to check that I was letting the installer add a valid key. No big deal really, just thinking that perhaps that particular key should have already been in yum's pre-imported keys.
The key wasn't already present in your rpm database (have you never done "yum update" on this system before?)
Fresh install. evolution-data-server was
                        ***
something like 170th of 320 packages being updated in the first sweep.
                        ***
Missing a pre-imported key, same-old same-old, and I'm sure that when I get my hands free to go look it up on bugzilla, there'll already be a bug or two for it, just wondering if it had caused any noise on this list yet. Besides, missing keys are not something one should keep hush-hush.
, so yum imported the repo GPG key from the file already on your system from the initial install (/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora) as it is configured to do by the repo file /etc/yum.repos.d/fedora-updates.repo. It then used the key to verify that the downloaded evolution-data-server package was intact and actually an official Fedora package.
Yeah. That's what it's supposed to do when the key is not present.
It just seems a little strange that RPM-GPG-KEY-fedora was missing from yum's collection of pre-imported keys. (That and I was really tired at five this morning when yum complained, so having to take the three minutes to drag the Mini over felt a little bit like an inconvenience, GOL. I've got to get some sleep tonight.)

Yum, or rather rpm, has no pre-imported keys at all.

That's a surprise. (Or maybe not?)

Every one of them is installed as a resutt of some post-installation action, such as running a "yum update". The keys are supplied out-of-the-box in the fedora-release package, but they're not pre-imported into the rpm database.

Well, I'm pretty sure that evolution-data-server was not the first downloaded, not the first untarred, not the first installed, and not the first tested. Did the ones that got installed first have no keys at all?

My *guess* is that evolution-data-server was the most recent package in the repo at the time you did the update, and thus first in yum's internal data structures when it came to do the checking. But that's just a guess.

It's possible that, for whatever reason, the evolution-data-server package was the first one yum tried to check the GPG signature of when you did the update, since all of the updates packages should be signed by that key.

I hear what you're saying, I'm having a hard time matching it to my memory of the install.

Is it possible that other packages were using the public keys directly out of /etc/pki rather than expecting them to be in RPM/yum's private keystore?

No. Yum always uses keys from the rpm database (use "rpm -q gpg-pubkey" to list them all).

Otherwise, I'd expect to have been prompted to confirm key imports at least three other times during the first update, based on what was being updated.

Is that because you were using two repos other than the standard Fedora ones?

(I'm trying to remember what my first updates in FC3 and FC4 were llike. I do remember hitting exactly one of those confirmation and just hitting yes without checking when I installed FC4 on a box at work once. The boss was giving me the evil eye because the install was taking, in his opinion, too long already, so I just trusted it.)

That makes sense.

Paul.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux