boatman9 Posted December 19, 2008 Report Share Posted December 19, 2008 I received the below message while using urpmi to update packages on my system. I installed the package anyway. Does anyone know how the signature could have become bad after the package was built, or how to tell if the package has been tampered with? The following package has bad signature: /var/cache/urpmi/rpms/perl-XML-Simple-2.18-3mdv2009.0.noarch.rpm: Invalid Key ID (OK (DSA/SHA1, Thu 02 Oct 2008 04:36:52 PM PDT, Key ID e7898ae070771ff3)) Do you want to continue installation ? (y/N) Quote Link to comment Share on other sites More sharing options...
SilverSurfer60 Posted December 19, 2008 Report Share Posted December 19, 2008 Not sure how the bad signature got there, maybe Adam could tell us. I had a few with no signature. A reload of the $mirrorlist cured it though. Quote Link to comment Share on other sites More sharing options...
jkerr82508 Posted December 19, 2008 Report Share Posted December 19, 2008 I think that someone forgot to re-sign that package with the /updates key when it was copied to the /updates repo. Jim Quote Link to comment Share on other sites More sharing options...
adamw Posted December 19, 2008 Report Share Posted December 19, 2008 70771ff3 is the /main/release key, what repo did that package come from? Quote Link to comment Share on other sites More sharing options...
boatman9 Posted December 19, 2008 Author Report Share Posted December 19, 2008 I don't know how to tell which repo mirror was used. I don't fully understand the process, but it seems that when I run "urpmi.update -a" and then "urpmi --auto-select" a mirror list is downloaded, one of the mirrors is selected, and packages are downloaded from that repo mirror. My urpmi.cfg file is full of entries like the following: Main\ (Official2009.0-1) { key-ids: 70771ff3 mirrorlist: $MIRRORLIST with-dir: media/main/release } Downloading the package again, I get the following: [root@localhost urpmi]# urpmi --auto --replacepkgs --no-install perl-XML-Simple $MIRRORLIST: media/main/release/perl-XML-Simple-2.18-3mdv2009.0.noarch.rpm The following package has bad signature: /var/cache/urpmi/rpms/perl-XML-Simple-2.18-3mdv2009.0.noarch.rpm: Invalid Key ID (OK (DSA/SHA1, Thu 02 Oct 2008 04:36:52 PM PDT, Key ID e7898ae070771ff3)) Quote Link to comment Share on other sites More sharing options...
medo3891 Posted December 22, 2008 Report Share Posted December 22, 2008 I think Jim got it right. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.