Together with my download Mandrake 9.2 Linux edition came a CD full of updates. But when i try to install them a message informs me they have "bad signatures" . I proceed with the installation. After that I type in the console: "rpm -V rpmname.rpm" and i find out it has not really been installed. I then try "rpm -U rpmname.rpm" or i double-click on the rpm file and a message appears, that the rpm has already been installed. I searched Internet, but i found nothing specific; i only read something about "public keys". Mandrake site has nothing interesting.
What does "bad signature" mean?
Have my rpms really been installed?
Where can I find these "keys", if i really need them?

That depends. When the error message came up asking if you wanted to install anyway, despite the "bad signatures", did you choose "yes" or "no"? If "yes", then the rpms installed anyway. If "no", they did not. Easiest way to be certain is to open up RPMDrake (Remove Programs) and look to see if the program in question is in the list. If it is, then it is installed (since RPMDrake couldn't offer to remove it if it wasn't).

GPG keys are a security measure to authenticate rpms, so that you can be certain that the server was not hacked and all the rpms replaced by other files bearing the same name but performing evil function. The rpm builder "signs" the rpm with a key, half of which is public and half of which is private. You (the public) get the public key, which enables Mandrake to read the private key and authenticate the RPM, proving that it hasn't been tampered with. This is why when you perform operations as root via the Mandrake Control Center, a little keyring appears in your panel. It actually is a keyring, with the authentication keys loaded and running.

However, it's not overwhelmingly likely that an official CD or an official Mandrake mirror has been so severely tampered with -- and further, without anyone knowing about it and shutting the repository down or issuing a warning about the CD or whatever-- that the keys are anything more than a formality.

Unfortunately, atm, even the formality isn't working right. Unlike previous versions of Mandrake, you (supposedly) no longer have to find the keys for each unofficial repositiory (the official Mandrake key is supposed to be installed with the distribution). The keys are added automatically when you add a repository to the Software Media Manager. Except that at least one of them (in my experience, the one named something like "bad SHA1 md5 OK") is not installed, and I have not seen where to get it. The key may be old or changed, and the entire issue may be related to the "contrib repository issue", which reports that (every single) contrib repository is using an old or invalid list file, which would explain why the key (either old or updated) isn't installed. I have also heard reports of certain keys not being installed from officially sponsored CDs bundled with magazines.

If you got an official Mandrake Update CD, it's really unlikely that the packages on it are bad, so go ahead and install them. The whole thing is pretty annoying (because it's such an alarming message), but not worth losing sleep over.

Hope this helps.