LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-27-2004, 12:32 AM   #1
nygiants#1
LQ Newbie
 
Registered: Apr 2004
Distribution: Fedora
Posts: 6

Rep: Reputation: 0
Unhappy Fedora updates - package does not have a valid GPG


I have Fedora Core 1 installed.

When I try to download Fedora's updates from Redhat, some of the updates return the following message; "The package 'does not have a valid GPG signature. It has been tampered with or corrupted.' Continue No, Yes."

Is there a security risk if I continue?
Will the packages corrupt my system if I try to install them?
Is anyone maintaining redhat's downloads to protect against scriptkiddies tampering with files? These Fedora update files have been on there web site for quite some time now and no one has done anything to change them.

Can anyone answer these questions or does anyone have any comments or suggestions!

Last edited by nygiants#1; 04-27-2004 at 09:52 PM.
 
Old 04-27-2004, 10:13 AM   #2
whtriced
LQ Newbie
 
Registered: Mar 2004
Location: Central New York, USA
Distribution: openSUSE, Ubuntu
Posts: 14

Rep: Reputation: 0
I found some other mirrors that had the same packages and used them. You
need to put them in the same directory that the packages from redhat go in.

Something like /usr/var/spool/up2date

I'm at work, so using Win, I don't have access to the actual path.

The mirror closest to me is mirror.clarkson.edu

Hope this helps out.
 
Old 04-27-2004, 04:18 PM   #3
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,155

Rep: Reputation: 56
remove the package from /var/spool/up2date

example...

rm /var/spool/up2date/gftp*


then run this if there are more packages to be installed in the up2date folder.

rpm -Uv /var/spool/up2date/*rpm


now try this..

up2date gftp
 
Old 04-27-2004, 10:07 PM   #4
nygiants#1
LQ Newbie
 
Registered: Apr 2004
Distribution: Fedora
Posts: 6

Original Poster
Rep: Reputation: 0
Hi Dave

I installed all the good files from Redhat because I downloaded them individually. It was the only way I could do it to prevent me from installing the files the produced the above error message. Therefore I do not want to install anymore files in the directory /var/spool/up2date until I know it is safe to do so.

Since I have installed the the good files, is it now safe to delete everything in that directory and if so what is the command I would use?
 
Old 04-27-2004, 10:10 PM   #5
nygiants#1
LQ Newbie
 
Registered: Apr 2004
Distribution: Fedora
Posts: 6

Original Poster
Rep: Reputation: 0
Hi whtriced

By mirror site, do you mean

ftp://mirror.clarkson.edu in my web browser?

I am having difficulty trying to determine how to connect to a mirror site to find these files

Last edited by nygiants#1; 04-27-2004 at 10:13 PM.
 
Old 04-28-2004, 10:28 AM   #6
whtriced
LQ Newbie
 
Registered: Mar 2004
Location: Central New York, USA
Distribution: openSUSE, Ubuntu
Posts: 14

Rep: Reputation: 0
Yes, that is what I was driving at.

If you put the package name into goole it will bring up sites that contain that package. I try to use mirror sites that are in universities, as they are usually pretty careful about security. Always use the md5 checksum from Redhat to deterine if the package has been tampered with or contains errors.

Hope this helps.
 
Old 04-28-2004, 11:46 AM   #7
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,155

Rep: Reputation: 56
rm -rf /var/spool/up2date/*


the rpm install always checks by default so if you are successful by running rpm -iv *rpm in the up2date folder that is ok. If you get errors remove the bad file.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
All updates reported as 0KB and do not have valid GPG signatures. What's wrong? MadJock Fedora 3 01-17-2006 10:43 PM
Distro package updates/iso's Vesical Fedora 1 07-01-2004 08:13 AM
Can't verify package gpg signatures on Mandrake 10 ayn Mandriva 0 06-09-2004 08:45 AM
Instructions: 2.6.x src. kernel build for Redhat Base. Package Updates from Fedora mchirico Red Hat 0 05-11-2004 08:19 PM
package does not have valid GPG signature amOrpheus Linux - Newbie 3 01-20-2004 07:48 PM


All times are GMT -5. The time now is 10:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration