LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Mandriva
User Name
Password
Mandriva This Forum is for the discussion of Mandriva (Mandrake) Linux.

Notices


Reply
  Search this Thread
Old 11-09-2004, 10:29 PM   #1
Young Padawan
LQ Newbie
 
Registered: Nov 2004
Distribution: Mandrake 10.1 Community w/ WinXP dual boot
Posts: 14

Rep: Reputation: 0
RPMDrake: Bad signatures


I am trying to use RPMDrake to update my system and so I set it up to download all the updates it could from various FTP servers that I found using EasyURPMI. It downloaded about a gig worth of data (alot I know but I just told it to update everything that go through and find what I wanted/needed) but when I got home from work today it had a message saying that everything it tried to update had a bad signature.

Quote:
The following packages have bad signatures:

a2ps-4.13b-5mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
amarok-1.1-1mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
arts-1.2.3-9mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
audacity-1.2.2-3mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
bind-utils-9.3.0-3mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
bootsplash-2.1.13-1mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
bzip2-1.0.2-19mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#2[6752624 OK)............xlockmore-5.11-2mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
xorg-x11-6.7.0-3mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
xorg-x11-75dpi-fonts-6.7.0-3mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
xorg-x11-server-6.7.0-3mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)
xorg-x11-xfs-6.7.0-3mdk.i586.rpm: Invalid Key ID ((sha1) dsa sha1 md5 gpg GPG#26752624 OK)

Do you want to continue installation?
There were more that it listed but I dont think I need to list the entire thing. Its quite long. Why did it do this and what can I do to fix it? should I just tell it to install everything anyway?
 
Old 11-10-2004, 02:10 AM   #2
opjose
Senior Member
 
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090

Rep: Reputation: 46
See: http://www.zebulon.org.uk/urpmi_en.html

for instructions on updating the keys.

This is not fatal anyway.
 
Old 11-11-2004, 02:15 AM   #3
allforcarrie
Member
 
Registered: Sep 2004
Distribution: Ubuntu
Posts: 157

Rep: Reputation: 30
i got the same error, all i have to do was try two or three times and it worked....
 
Old 11-11-2004, 02:28 AM   #4
opjose
Senior Member
 
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090

Rep: Reputation: 46
That will go ahead and install the RPM's regardless of the sig keys... which is ok.

However the above posted link explains how to correct the error messages.
 
Old 11-25-2004, 08:04 AM   #5
Tux345
LQ Newbie
 
Registered: Nov 2004
Posts: 3

Rep: Reputation: 0
I'm still having problems with bad signatures

I imported the latest keys, but still see bad signature, even after cleaning the urpmi cache. What else can I do? It's not just the package that's failing, but lots of them:

Code:
[root@chrislap tmp]# wget -o/dev/null -O- http://www.mandrakesoft.com/security/RPM-GPG-KEYS | gpg --import
gpg: key 70771FF3: public key "Mandrake Linux <mandrake@mandrakesoft.com>" imported
gpg: key 9B4A4024: public key "MandrakeSoft (MandrakeSoft official keys) <mandrake@mandrakesoft.com>" imported
gpg: key 22458A98: public key "Mandrake Linux Security Team <security@mandrakesoft.com>" imported
gpg: Total number processed: 3
gpg:               imported: 3
[root@chrislap tmp]# wget -o/dev/null -O- http://www.mandrakesoft.com/security/RPM-GPG-KEYS | gpg --import
gpg: key 70771FF3: "Mandrake Linux <mandrake@mandrakesoft.com>" not changed
gpg: key 9B4A4024: "MandrakeSoft (MandrakeSoft official keys) <mandrake@mandrakesoft.com>" not changed
gpg: key 22458A98: "Mandrake Linux Security Team <security@mandrakesoft.com>" not changed
gpg: Total number processed: 3
gpg:              unchanged: 3
[root@chrislap tmp]# urpmi samba-client

The following packages have bad signatures:
/var/cache/urpmi/rpms/samba-client-3.0.7-2.2.101mdk.i586.rpm: Invalid Key ID (sha1 md5 gpg GPG#22458a98 OK)
Do you want to continue installation ? (y/N) n
[root@chrislap tmp]# urpmi --clean
[root@chrislap tmp]# urpmi samba-client

    ftp://ftp.heanet.ie/mirrors/ftp.mand...01mdk.i586.rpm
    
The following packages have bad signatures:
/var/cache/urpmi/rpms/samba-client-3.0.7-2.2.101mdk.i586.rpm: Invalid Key ID (sha1 md5 gpg GPG#22458a98 OK)
Do you want to continue installation ? (y/N) n
[root@chrislap tmp]#
 
Old 11-25-2004, 08:43 AM   #6
opjose
Senior Member
 
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090

Rep: Reputation: 46
Yeah, this is normal.

The uploaded packages don't always have the latest keys applied.
 
Old 11-25-2004, 10:04 AM   #7
Tux345
LQ Newbie
 
Registered: Nov 2004
Posts: 3

Rep: Reputation: 0
Seems very strange to me.

Packages are signed to prevent malware being slipped into them.

If they aren't signed with the right key then any security we may have had goes straight out the window.

Surely some mistake? Or are people not bothered about security any more?

Chris.
 
Old 11-25-2004, 11:36 AM   #8
opjose
Senior Member
 
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090

Rep: Reputation: 46
The package updates occur so frequently that often things go unsigned.
 
Old 11-26-2004, 08:15 PM   #9
Tux345
LQ Newbie
 
Registered: Nov 2004
Posts: 3

Rep: Reputation: 0
That's not helpful.

The packages ARE signed, and I have the key needed to verify that they are valid.

The problem, it turned out after lots of investigation, was that /etc/urpmi/urpmi.cfg had a couple of lines saying:

key-ids: 26752624

I edited the lines to say:

key-ids: 22458a98

and now it works just fine.

It may be that I'll eventually need to edit it to say:

key-ids: 22458a98,26752624

so that both keys will be accepted.

I'm told that the problem stems from the fact that in community edition the security key (gpg-pubkey 22458a98 gpg(Mandrake Linux Security Team <security@mandrakesoft.com>)) is used to sign stuff in the 'main' source, whereas in the official edition it isn't.

This maybe shows up a bug somewhere, but in the mean time, just edit the 'key-ids' lines and the problem stops.

See the man page for 'urpmi.cfg' for more details on 'key-ids'.

Hope that helps someone's understanding of what's going on a little.
 
Old 11-27-2004, 04:38 AM   #10
opjose
Senior Member
 
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090

Rep: Reputation: 46
Yeah your right.

The key problem I was referring to occurs with the Contrib and PLF sources and SHOULD NEVER (really) occur with Mandrake...

Except you isolated an oversight.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
bad signatures dolphans1 Mandriva 8 11-25-2005 12:38 PM
Bad Signatures on install galliar Mandriva 6 02-15-2005 05:30 PM
bad signatures OrganicOrange84 Linux - Newbie 1 09-04-2004 12:14 AM
bad signatures ed_norton Linux - Newbie 5 04-14-2004 03:06 AM
Bad Signatures basttrax Linux - Newbie 9 02-12-2004 06:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Mandriva

All times are GMT -5. The time now is 02:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration