Bugzilla – Bug 122564
keys from suse-build-keys not imported
Last modified: 2008-06-25 09:52:56 UTC
I'd been having problems installing updates from YOU servers. Eventually I figured out that some of my machines didn't have the keys from the suse-build-keys package imported (based on "rpm -qa gpg-pubkey*", which generated no output). YOU was failing to recognize the signature and reporting failure. The "gpg ... -import" line in the postinstall evidently isn't doing anything; I eventually got things to work by extracting specific keys from that keyring and importing them with "rpm --import". After that, YOU updates started working. I never saw this problem on machines for which I'd installed from media; I only had this problem with machines where I'd done a PXE-based network install. Is there some installer code that imports these keys, independent of the postinstall from the suse-build-keys package itself? The relevant portion of my YaST logs, from the original install of suse-build-keys, is presumably the following: 2005-09-14 16:48:07 suse-build-key-1.0-668.noarch.rpm installed ok Additional rpm output: importing SuSE build key to rpm keyring... gpg: no ultimately trusted keys found done. The gpg spewage is from the invocation with --import. I still have a test machine with this problem in the event that more details are needed, but it should be trivial to reproduce: # rpm -e gpg-pubkey-9c800aca-40d8063e # rpm -e --nodeps suse-build-key # rpm -Uvh suse-build-key.rpm # rpm -qa gpg-pubkey* Depending on your installation method, step 4 alone may be insufficient to reproduce the problem.
Adding some people to CC. Michael, can you lend us a hand here? I think you had a similar problem solved mentioned on "research".
Seems to be a duplicte of bug #130579. - The packagemenager collects gpg-pubkey-* located in the root directory of an installation source. This is done at the time the source is created. - Before any package installation, collected gpg-pubkey-* are checked and installed in the rpm database if missing. Bug #130579 seems to indicate a problem with installation via network, at least via HTTP/FTP. The packagemanager does not see the original media. It's YaSTs YCP code which downloads the source metadata into the ramdisk. The packagemanager is then setup to use the ramdisk copy. To me it looks like the YCP code sometimes fails to copy the gpg-pubkey-* into the ramdisk. Without the keys installed, YOU can't check the signature of packages. (The message from suse-build-key's post-install script is unrelated to this. Rpm does not use the keyring for signature checking.) Wokraround: - Get the gpg-pubkey-* files from the original media, and copy them into /var/adm/YaST/InstSrcManager/gpg-pubkey/. - Then call 'rpm --import <names of missing keyfiles>', or 'yast2 sw_single' and install at least one package.
resolved - later - tracked by harald
mass reopening all SuSE Linux bugs that are set to REMIND+LATER to change the resolution to WONTFIX (adapting to new policy)
Closing old LATER+REMIND bugs as WONTFIX - if you still plan to work on it, feel free to reopen and set to ASSIGNED. In case the report saw repeated reopen comments, it's due to bugzilla timing out on the huge request ;(