package has bad signature

[boatman9]

I received the below message while using urpmi to update packages on my system. I installed the package anyway. Does anyone know how the signature could have become bad after the package was built, or how to tell if the package has been tampered with?

 

The following package has bad signature:

/var/cache/urpmi/rpms/perl-XML-Simple-2.18-3mdv2009.0.noarch.rpm: Invalid Key ID (OK (DSA/SHA1, Thu 02 Oct 2008 04:36:52 PM PDT, Key ID e7898ae070771ff3))

Do you want to continue installation ? (y/N)

[SilverSurfer60]

Not sure how the bad signature got there, maybe Adam could tell us. I had a few with no signature. A reload of the $mirrorlist cured it though.

[jkerr82508]

I think that someone forgot to re-sign that package with the /updates key when it was copied to the /updates repo.

 

Jim

[adamw]

70771ff3 is the /main/release key, what repo did that package come from?

[boatman9]

I don't know how to tell which repo mirror was used. I don't fully understand the process, but it seems that when I run

"urpmi.update -a"

and then

"urpmi --auto-select"

a mirror list is downloaded, one of the mirrors is selected, and packages are downloaded from that repo mirror.

 

My urpmi.cfg file is full of entries like the following:

Main\ (Official2009.0-1) {

key-ids: 70771ff3

mirrorlist: $MIRRORLIST

with-dir: media/main/release

}

 

Downloading the package again, I get the following:

[root@localhost urpmi]# urpmi --auto --replacepkgs --no-install perl-XML-Simple

$MIRRORLIST: media/main/release/perl-XML-Simple-2.18-3mdv2009.0.noarch.rpm
The following package has bad signature:
/var/cache/urpmi/rpms/perl-XML-Simple-2.18-3mdv2009.0.noarch.rpm: Invalid Key ID (OK (DSA/SHA1, Thu 02 Oct 2008 04:36:52 PM PDT, Key ID e7898ae070771ff3))

[medo3891]

I think Jim got it right.