rpm cannot verify fwupdate packages' PGP signatures

James Ralston qralston+ml.dell-poweredge at andrew.cmu.edu
Fri Jun 18 12:22:02 CDT 2010

On 2010-06-18 at 13:00-04 James Ralston wrote:

> warning: rpmts_HdrFromFdno: V3 DSA signature: NOKEY, key ID 5e3d7775
> Public key for system_bios_PowerEdge_2850-A06-20.noarch.rpm is not installed
> Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-libsmbios
> GPG key at file:///etc/pki/rpm-gpg/RPM-GPG-KEY-libsmbios (0x5E3D7775) is already installed
> The GPG keys listed for the "Firmware updates" repository are already installed but they are not correct for this package.
> Check that the correct key URLs are configured for this repository.

An additional piece of information that might help: we rsync the
fwupdate repository locally on a nightly basis, and we verify the PGP
signatures after we do so.

I went back and checked our logs, and found:

    As of 2010-05-25 at 04:00-04, we had no difficulty verifying the PGP
    signatures of the RPM packages in the fwupdate repository.

    As of 2010-05-26 at 04:42-04, PGP signature verification of
    packages in the fwupdate repository failed.

Looking at our local copies of the rpm files, they all have mtime
values that fall between:

    2010-05-25 12:35:22-04
    2010-05-25 12:36:19-04


$ ls -lsa system_bios_ven_0x1028_dev_0x02fb-A00-20.noarch.rpm
876 -rw-r--r--  1 root root 885675 May 25 12:36 system_bios_ven_0x1028_dev_0x02fb-A00-20.noarch.rpm

So, I strongly suspect that on 2010-05-25 at 12:35:22-04, something or
someone went through and re-signed all of the RPMs in the fwupdate
repository.  But I think the version of rpm used to do so produced
corrupted signatures.

More information about the Linux-PowerEdge mailing list