verifying redhat rpms with gpg

Merell L. Matlock, Jr. merlock@hom.net
Thu, 21 Oct 1999 19:31:22 -0400 

--/04w6evG8XlLl3ft
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

* Hugo Bouckaert (hugo@cs.uwa.edu.au) [991021 18:36]:
=20

> On my Redhat 6.0 machine I downloaded and installed=20

=20

> gnupg-1.0.0-1rh6.i386.rpm

> pgpgpg-0.13-1.i386.rpm


I'll come back to this.


> then saved the key from http://www.gnupg.org/gnupg-sigkey.asc as

> /etc/gpgkey then issued

=20

> gpg /etc/gpgkey

=20

> This returned:=20

=20

> pub  1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) <dd9jn@gnu.org>


Ok, that tells you what kind of key, but was Werner's key actually
ADDED to your pubring?  According to this, it was not.
=20

> But when I tried to verify an rpm package with gpg, it still returned

> the error to me:=20

>=20

> >rpm -K lpr-0.44-1.i386.rpm

> lpr-0.44-1.i386.rpm: size md5 GPG NOT OK


This is correct. =20

First, even if you have added Werner's key to your pubring, unless
Werner actually built and signed the RPM with his key, it will NOT
verify.

If you got an RPM from Red Hat/mirror, and it was built by Red Hat, it
will be signed with Red Hat's key.

Look at this:

lpr-0.44-1.src.rpm

$ rpm -K lpr-0.44-1.src.rpm

lpr-0.44-1.src.rpm: size md5 gpg OK
                             ^^^

My source RPM (from the Infomagic Red Hat mirror) verifies properly.
=20

> So I think there still is something wrong with my installation of

> the gpg verification system.=20


Nah, just need to practice with it some more.  :)

HTH.

Merell
--=20
Merell L. Matlock, Jr.         When crypto is outlawed, only outlaws
(No super fancy title)         and politicians will have crypto.

GnuPG (PGP) keys are available at your local public keyserver.

Microsoft:  What do you want to be infected with today?

--/04w6evG8XlLl3ft
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4D6JKYZDR+RKT0qIRAo/3AJ0acKg41PYqXoeYhGYj55Wet13tcgCeOtCj
zNCVviH0IgPkBluAk19webc=
=Ht/4
-----END PGP SIGNATURE-----

--/04w6evG8XlLl3ft--