[root@localhost root]# rpm -i ftp://rpmfind.net/linux/freshrpms/re...8-fr2.i386.rpm
warning : /var/tmp/rpm-xfer.K3Rwdf: V3 DSA signature: NOKEY, key ID e42d547b

why warning message is appear? what' wrong?

The warning message simply means that this file is signed and you don't have a copy of the key on your system.

It's, slightly, analogous to the driver disk signing on Windows.

The rpm should still install and since you obviously trust the place the file came from I wouldn't worry about it.

As example, for RPM's signed by RedHat the explanation and key are at
http://www.redhat.com/solutions/secu...publickey.html


XavierP wrote: The rpm should still install and since you obviously trust the place the file came from I wouldn't worry about it.
The problem with propagating proper package signing is just this enduser behaviour. People tend to think just because it's from (what they think is) a "trustworthy" site it's good enough. Well, it just isn't from a security point of view. DNS takeovers aren't impossible and in the past download locations of OpenSSH, Sendmail, TCP wrappers, Aide etc etc where compromised, and that should make it clear packages w/o pubkey sign are NOT trustworthy, regardless of what you think the source is. And MD5summing packages is helpfull but not good enough. Until developers and distributors start taking a different approach towards security and will sign by default, installing a package will remain a risk.
Help turning that risk into an acceptable risk is everyone's responsability.

unSpawn - very true, big slap on the wrist for me.

Actually, second thoughts, big slap also for the distros and the sites themselves. If the key isn't there we should have to 'force' the install rather than just getting a warning and having to go back and uninstall. By which time the damage may have been done.

At least Microsoft give you the option of not installing unsigned drivers. Maybe a suggestion should be made to the distro makers.