RPMDrake: Bad signatures

Young Padawan · 11-09-2004, 10:29 PM

I am trying to use RPMDrake to update my system and so I set it up to download all the updates it could from various FTP servers that I found using EasyURPMI. It downloaded about a gig worth of data (alot I know but I just told it to update everything that go through and find what I wanted/needed) but when I got home from work today it had a message saying that everything it tried to update had a bad signature.

Quote:

The following packages have bad signatures:

a2ps-4.13b-5mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
amarok-1.1-1mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
arts-1.2.3-9mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
audacity-1.2.2-3mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
bind-utils-9.3.0-3mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
bootsplash-2.1.13-1mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
bzip2-1.0.2-19mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#2[6752624 OK)............xlockmore-5.11-2mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
xorg-x11-6.7.0-3mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
xorg-x11-75dpi-fonts-6.7.0-3mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
xorg-x11-server-6.7.0-3mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
xorg-x11-xfs-6.7.0-3mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)

Do you want to continue installation?

There were more that it listed but I dont think I need to list the entire thing. Its quite long. Why did it do this and what can I do to fix it? should I just tell it to install everything anyway?

opjose · 11-10-2004, 02:10 AM

See: http://www.zebulon.org.uk/urpmi_en.html

for instructions on updating the keys.

This is not fatal anyway.

allforcarrie · 11-11-2004, 02:15 AM

i got the same error, all i have to do was try two or three times and it worked....

opjose · 11-11-2004, 02:28 AM

That will go ahead and install the RPM's regardless of the sig keys... which is ok.

However the above posted link explains how to correct the error messages.

Tux345 · 11-25-2004, 08:04 AM

I imported the latest keys, but still see bad signature, even after cleaning the urpmi cache. What else can I do? It's not just the package that's failing, but lots of them:

Code:

[root@chrislap tmp]# wget -o/dev/null -O- http://www.mandrakesoft.com/security/RPM-GPG-KEYS | gpg --import
gpg: key 70771FF3: public key "Mandrake Linux <mandrake@mandrakesoft.com>" imported
gpg: key 9B4A4024: public key "MandrakeSoft (MandrakeSoft official keys) <mandrake@mandrakesoft.com>" imported
gpg: key 22458A98: public key "Mandrake Linux Security Team <security@mandrakesoft.com>" imported
gpg: Total number processed: 3
gpg:               imported: 3
[root@chrislap tmp]# wget -o/dev/null -O- http://www.mandrakesoft.com/security/RPM-GPG-KEYS | gpg --import
gpg: key 70771FF3: "Mandrake Linux <mandrake@mandrakesoft.com>" not changed
gpg: key 9B4A4024: "MandrakeSoft (MandrakeSoft official keys) <mandrake@mandrakesoft.com>" not changed
gpg: key 22458A98: "Mandrake Linux Security Team <security@mandrakesoft.com>" not changed
gpg: Total number processed: 3
gpg:              unchanged: 3
[root@chrislap tmp]# urpmi samba-client

The following packages have bad signatures:
/var/cache/urpmi/rpms/samba-client-3.0.7-2.2.101mdk.i586.rpm: Invalid Key ID (sha1 md5 gpg GPG#22458a98 OK)
Do you want to continue installation ? (y/N) n
[root@chrislap tmp]# urpmi --clean
[root@chrislap tmp]# urpmi samba-client

    ftp://ftp.heanet.ie/mirrors/ftp.mand...01mdk.i586.rpm
    
The following packages have bad signatures:
/var/cache/urpmi/rpms/samba-client-3.0.7-2.2.101mdk.i586.rpm: Invalid Key ID (sha1 md5 gpg GPG#22458a98 OK)
Do you want to continue installation ? (y/N) n
[root@chrislap tmp]#

opjose · 11-25-2004, 08:43 AM

Yeah, this is normal.

The uploaded packages don't always have the latest keys applied.

Tux345 · 11-25-2004, 10:04 AM

Seems very strange to me.

Packages are signed to prevent malware being slipped into them.

If they aren't signed with the right key then any security we may have had goes straight out the window.

Surely some mistake? Or are people not bothered about security any more?

Chris.

opjose · 11-25-2004, 11:36 AM

The package updates occur so frequently that often things go unsigned.

Tux345 · 11-26-2004, 08:15 PM

That's not helpful.

The packages ARE signed, and I have the key needed to verify that they are valid.

The problem, it turned out after lots of investigation, was that /etc/urpmi/urpmi.cfg had a couple of lines saying:

key-ids: 26752624

I edited the lines to say:

key-ids: 22458a98

and now it works just fine.

It may be that I'll eventually need to edit it to say:

key-ids: 22458a98,26752624

so that both keys will be accepted.

I'm told that the problem stems from the fact that in community edition the security key (gpg-pubkey 22458a98 gpg(Mandrake Linux Security Team <security@mandrakesoft.com>)) is used to sign stuff in the 'main' source, whereas in the official edition it isn't.

This maybe shows up a bug somewhere, but in the mean time, just edit the 'key-ids' lines and the problem stops.

See the man page for 'urpmi.cfg' for more details on 'key-ids'.

Hope that helps someone's understanding of what's going on a little.

opjose · 11-27-2004, 04:38 AM

Yeah your right.

The key problem I was referring to occurs with the Contrib and PLF sources and SHOULD NEVER (really) occur with Mandrake...

Except you isolated an oversight.