verifying redhat rpms with gpg
Merell L. Matlock, Jr.
Thu, 21 Oct 1999 19:31:22 -0400
Content-Type: text/plain; charset=us-ascii
* Hugo Bouckaert (firstname.lastname@example.org) [991021 18:36]:
> On my Redhat 6.0 machine I downloaded and installed=20
I'll come back to this.
> then saved the key from http://www.gnupg.org/gnupg-sigkey.asc as
> /etc/gpgkey then issued
> gpg /etc/gpgkey
> This returned:=20
> pub 1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) <email@example.com>
Ok, that tells you what kind of key, but was Werner's key actually
ADDED to your pubring? According to this, it was not.
> But when I tried to verify an rpm package with gpg, it still returned
> the error to me:=20
> >rpm -K lpr-0.44-1.i386.rpm
> lpr-0.44-1.i386.rpm: size md5 GPG NOT OK
This is correct. =20
First, even if you have added Werner's key to your pubring, unless
Werner actually built and signed the RPM with his key, it will NOT
If you got an RPM from Red Hat/mirror, and it was built by Red Hat, it
will be signed with Red Hat's key.
Look at this:
$ rpm -K lpr-0.44-1.src.rpm
lpr-0.44-1.src.rpm: size md5 gpg OK
My source RPM (from the Infomagic Red Hat mirror) verifies properly.
> So I think there still is something wrong with my installation of
> the gpg verification system.=20
Nah, just need to practice with it some more. :)
Merell L. Matlock, Jr. When crypto is outlawed, only outlaws
(No super fancy title) and politicians will have crypto.
GnuPG (PGP) keys are available at your local public keyserver.
Microsoft: What do you want to be infected with today?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----