verifying redhat rpms with gpg

Merell L. Matlock, Jr.
Thu, 21 Oct 1999 19:31:22 -0400

Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

* Hugo Bouckaert ( [991021 18:36]:

> On my Redhat 6.0 machine I downloaded and installed=20
> gnupg-1.0.0-1rh6.i386.rpm
> pgpgpg-0.13-1.i386.rpm
I'll come back to this.
> then saved the key from as
> /etc/gpgkey then issued
> gpg /etc/gpgkey
> This returned:=20
> pub 1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) <>
Ok, that tells you what kind of key, but was Werner's key actually ADDED to your pubring? According to this, it was not. =20
> But when I tried to verify an rpm package with gpg, it still returned
> the error to me:=20
> >rpm -K lpr-0.44-1.i386.rpm
> lpr-0.44-1.i386.rpm: size md5 GPG NOT OK
This is correct. =20 First, even if you have added Werner's key to your pubring, unless Werner actually built and signed the RPM with his key, it will NOT verify. If you got an RPM from Red Hat/mirror, and it was built by Red Hat, it will be signed with Red Hat's key. Look at this: lpr-0.44-1.src.rpm $ rpm -K lpr-0.44-1.src.rpm lpr-0.44-1.src.rpm: size md5 gpg OK ^^^ My source RPM (from the Infomagic Red Hat mirror) verifies properly. =20
> So I think there still is something wrong with my installation of
> the gpg verification system.=20
Nah, just need to practice with it some more. :) HTH. Merell --=20 Merell L. Matlock, Jr. When crypto is outlawed, only outlaws (No super fancy title) and politicians will have crypto. GnuPG (PGP) keys are available at your local public keyserver. Microsoft: What do you want to be infected with today? --/04w6evG8XlLl3ft Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see iD8DBQE4D6JKYZDR+RKT0qIRAo/3AJ0acKg41PYqXoeYhGYj55Wet13tcgCeOtCj zNCVviH0IgPkBluAk19webc= =Ht/4 -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft--