rpm cannot verify fwupdate packages' PGP signatures

James Ralston qralston+ml.dell-poweredge at andrew.cmu.edu
Fri Jun 18 12:00:03 CDT 2010


This pretty much says it all:

$ yum -y update system_bios_PowerEdge_2850
Setting up Update Process
Setting up repositories
Reading repository metadata in from local files
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package system_bios_PowerEdge_2850.noarch 50:A06-20 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size 
=============================================================================
Updating:
 system_bios_PowerEdge_2850  noarch     50:A06-20        fwupdate          406 k

Transaction Summary
=============================================================================
Install      0 Package(s)         
Update       1 Package(s)         
Remove       0 Package(s)         
Total download size: 406 k
Downloading Packages:
warning: rpmts_HdrFromFdno: V3 DSA signature: NOKEY, key ID 5e3d7775
Public key for system_bios_PowerEdge_2850-A06-20.noarch.rpm is not installed
Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-libsmbios
GPG key at file:///etc/pki/rpm-gpg/RPM-GPG-KEY-libsmbios (0x5E3D7775) is already installed


The GPG keys listed for the "Firmware updates" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

But as the above message indicates, I have the correct key installed:

$ rpm -qi gpg-pubkey-5e3d7775
Name        : gpg-pubkey                   Relocations: (not relocatable)
Version     : 5e3d7775                          Vendor: (none)
Release     : 42d297af                      Build Date: 2010-06-18T12:36:18 EDT
Install Date: 2010-06-18T12:36:18 EDT          Build Host: localhost
Group       : Public Keys                   Source RPM: (none)
Size        : 0                                License: pubkey
Signature   : (none)
Summary     : gpg(libsmbios (This key is used to sign all libsmbios tarballs) <libsmbios-devel at lists.us.dell.com>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.7.2 (NSS-3)

mQGiBELSl68RBACDhWn3X8Ls6mvdpgmPaDqSMVH2GjfWp7Zwto21cFCa8uBDvCSv
bzta922bBDYny1rJNBWOlniI4VaMLPkvUzznYm2rf/f+fuTC6FTQd4yi7VP8X8vp
V7BKlQDMln3CuZcI1ajFMS1pp1551IRkcskZ6sGgWv5BHjyNWxbp481+2wCglK21
+zR5H34O2kShFGLJxBWp8x0D/2rFQk8JIAIyY7ikkBDtPBGfJHGOwych4fVJJnVq
Fz9JqHAYZ3P+WO3sMG5nHkhx8IekOGk+TGbdfYwuGBCuFDkY8UY9fyC+NIGBHF3z
mKpWpBu5mwATLeZhYbEhnItxZ7yq8w59LHCeZBbwwfG/6KKaxhgCoK1toSi+1lHL
ItRQA/43mWKyVW6fZkmDZcOfRRIOjfKCbk8g+3P2msPkBtsZtbA7ANMk7MgPFBur
JHcCjUekOfR4TN/xQ0sl85kec8hIW3ygCyvc3bO8IsdOMOJO40MoYfNI9nFuWqg2
rL63TrnyMw4/uzV5bNwAZUopXftD+dPuQ6+8Y/l6b7X6po6V5LRfbGlic21iaW9z
IChUaGlzIGtleSBpcyB1c2VkIHRvIHNpZ24gYWxsIGxpYnNtYmlvcyB0YXJiYWxs
cykgPGxpYnNtYmlvcy1kZXZlbEBsaXN0cy51cy5kZWxsLmNvbT6IWwQTEQIAGwUC
QtKXrwYLCQgHAwIDFQIDAxYCAQIeAQIXgAAKCRDnRDPiXj13dU3RAJ9CgkwbJ/SU
DoHZT6RP55iFuszt6wCfYVTyntyO/1NGnKxo33m2WXq+WRm5AQ0EQtKXsBAEAKQL
5zlThVPRuBs6yQ4TYPIx7cY+Fnw/xp0F/ltLgWuldmejeMbgkMrUS9d6JzNVfuSB
tZCNZz+rYKOm0wTBgqef/1xe1jJv7ML47eh2gXvSiwTctvfwOMuL6rFisruq/hCQ
dFofLK4oovfn5B06Q8b66CDytwRRfzQO7Ohe6EAbAAMFBACd5c0GvGe6o2/iNbs9
fNNXSc0SK7Yrax1thgLRNMZPPis+csmdMcgmygbICaiFUI0lgUtq5hGVnahd9fCs
YME0uH5cPRfAPWQgukLKyKu3qjCQJ8CnD2uwIMvPfiwk4qKWt/fNwYaMx+xs6PKb
b7pj9euvC+K4aXVmc3h1YtzKnYhGBBgRAgAGBQJC0pewAAoJEOdEM+JePXd1yeoA
mgPExN9943OWP1yY5xhBgFKO0FH/AJ0ZLgscaCv+lpvZM7Eh22lWaQa2jA==
=cO2g
-----END PGP PUBLIC KEY BLOCK-----

Just to rule out any possibility that the key was corrupt somehow in
RPM, I removed it and re-added it from:

http://linux.dell.com/files/libsmbios/download/RPM-GPG-KEY-libsmbios

But the results are the same.

The key is a simple 1024-bit DSA key, which all versions of rpm that I
know of can handle:

$ gpg2 --check-sigs 5E3D7775
pub   1024D/5E3D7775 2005-07-11
uid                  libsmbios (This key is used to sign all libsmbios tarballs) <libsmbios-devel at lists.us.dell.com>
sig!3        5E3D7775 2005-07-11  libsmbios (This key is used to sign all libsmbios tarballs) <libsmbios-devel at lists.us.dell.com>
sub   1024g/75C1F13F 2005-07-11
sig!         5E3D7775 2005-07-11  libsmbios (This key is used to sign all libsmbios tarballs) <libsmbios-devel at lists.us.dell.com>

Finally, this above error happens for me on the following
distributions:

    Red Hat Enterprise Linux 4.8
    Red Hat Enterprise Linux 5.5
    Fedora 12

So, it's a fairly widespread problem: I can't find any system that can
actually verify the PGP signatures on these packages.

Matt et. al., can you guys verify these packages?  If so, what OS and
rpm version are you using to sign/verify the packages?



More information about the Linux-PowerEdge mailing list