On Thu, 2003-06-12 at 07:43, Rolf Pedersen wrote:
[..]
On Thu, 2003-06-12 at 04:59, Tango Echo wrote:
Thanks for the reply. Unfortunately, I'm still getting
the error after following your instructions... The
gnu pg seemed to install fine. I'm also running mdk
9.1 BTW. Any other ideas??
[..]
I believe you will find that certain contrib packages are not signed and you will have to install without a signature, if you want the package. When rpm reports a missing key, such as when you verify a package with
rpm -K (package).rpm,
you should be able to search around to find it. Various contributors have their own gpg keys. There are public keyservers that *might* contain the needed key or you could
rpm -qp --changelog (package).rpm
to see who contributed the package and search on the cooker archives for clues to the sources of that key. For instance, Oden Eriksson packages chkrootkit. You can find links to his key and that of Han Boetes, who packages abcde, in the following post to cooker:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg106798.html
You can wget the file and
gpg --import (file)
as root. I don't have problems doing this from a su root commandline but YMMV. See man gpg.
Rolf
Rolf,
You're right, but my understanding from Warly during the various beta and rc cycles was that anything in release contrib is resigned with MDK's sig before release. (at least there where a lot of people checking this point for him.) with cooker contrib yes... this is a problem. (and people are always noting bad sigs there.) However nothing new gets added to release contrib does it? It would seem that updates would go into update not straight into contrib. But maybe I'm mistaken.
James
Things are in a state of flux and what was true not so long ago becomes irrelevant at a disquieting rate. However, my understanding has been that contrib/ are unsupported. I don't have a boxed set, so my experience is with mirrored sources. I mirrored contrib/ from cooker at the time of the release of 9.1 isos and a couple of times since to try to resolve a mismatch between the packages and the posted hdlist. [*] I just rsynced contrib/ from carroll to make sure I was dealing with current sources.
Without checking every package, I see no evidence that contrib/ packages are signed by the Mandrake gpg key. My impression is that more packages are unsigned than are signed. The only test for this that I know of is demonstrated below, first for a package from the CD1 iso, then for two contrib/ packages, one unsigned (AFAICT) and one signed by a contributor:
[EMAIL PROTECTED] RPMS]# rpm -K -vv mozilla-1.3-1mdk.i586.rpm
D: Expected size: 10633778 = lead(96)+sigs(241)+pad(7)+data(10633434)
D: Actual size: 10633778
mozilla-1.3-1mdk.i586.rpm:
MD5 sum OK: 67303eb2e0a713bc35156ef7297da9e5
gpg: Signature made Fri 14 Mar 2003 02:56:58 AM PST using DSA key ID 70771FF3
gpg: Good signature from "Mandrake Linux <[EMAIL PROTECTED]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: ED65 5537 C36E EE0E 309A BA84 E789 8AE0 7077 1FF3
[EMAIL PROTECTED] RPMS]# rpm -K -vv hddtemp-0.3-0.beta4.1mdk.i586.rpm D: Expected size: 29570 = lead(96)+sigs(160)+pad(0)+data(29314) D: Actual size: 29570 hddtemp-0.3-0.beta4.1mdk.i586.rpm: MD5 sum OK: 551663fc5c59edba28ef0467f03b5770
[EMAIL PROTECTED] RPMS]# rpm -K -vv abcde-2.0.3-3mdk.i586.rpm
D: Expected size: 43371 = lead(96)+sigs(241)+pad(7)+data(43027)
D: Actual size: 43371
abcde-2.0.3-3mdk.i586.rpm:
MD5 sum OK: 832041e31286051c8f001b22d1b0a968
gpg: Signature made Fri 27 Dec 2002 08:48:21 AM PST using DSA key ID 79F13BC3
gpg: Good signature from "Han Boetes <[EMAIL PROTECTED]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A5C4 9A4D 127C EDBB 5D30 DEB7 6770 FF08 79F1 3BC3
WRT today's discussion on cooker Olivier Thauvin had this to say:
Le Jeudi 12 Juin 2003 18:26, Per �yvind Karlsen a �crit :
>> when uploading them yourself(not upping them to ftp.linux-mandrake.com) you
>> should'nt sign them, as you see, noone else does this, and when people are
>> installing your packages they'll get warnings about it because the package
>> has both your signature and the mandrakesoft, while they have only the
>> mandrakesoft signatures..
Nop, contrib are not resign by mdk. Then poeple get only personnal signature.
-- Linux pour Mac !? Enfin le moyen de transformer une pomme en v�ritable ordinateur. - JL. Olivier Thauvin - http://nanardon.homelinux.org/
http://marc.theaimsgroup.com/?l=mandrake-cooker&m=105543573712319&w=2
[*] I don't believe, either, that there are, normally, changes to contrib/ after release. The synthesis.hdlist was not in sync for some packages I was aware of and reported by others who were having problems installing. I reported this to cooker 3/26: http://archives.mandrakelinux.com/cooker/2003-02/msg10554.php but that does not appear to be fixed, at least at carroll:
[EMAIL PROTECTED] RPMS]# zcat synthesis.hdlist2.cz | grep gdal | grep @provides
@[EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]@libgdal0[== 1.1.8-2mdk]
@[EMAIL PROTECTED] [EMAIL PROTECTED] 1.1.8-2mdk]
@[EMAIL PROTECTED] 1.1.8-2mdk]
@[EMAIL PROTECTED]@gdal-python[== 1.1.8-2mdk]
[EMAIL PROTECTED] RPMS]# ls | grep gdal
gdal-1.1.8-1mdk.i586.rpm
gdal-python-1.1.8-1mdk.i586.rpm
libgdal0-1.1.8-1mdk.i586.rpm
libgdal0-devel-1.1.8-1mdk.i586.rpm
So, when urpmi is asked for gdal, it can't find what the hdlist says is there:
[EMAIL PROTECTED] RPMS]# urpmi gdal
To satisfy dependencies, the following packages are going to be installed (4 MB):
gdal-1.1.8-2mdk.i586
libgdal0-1.1.8-2mdk.i586
libgrass5_0-1.0.0-1mdk.i586
libpq3-7.3.2-5mdk.i586
libproj0-4.4.5-2mdk.i586
Is this OK? (Y/n)
Installation failed, some files are missing:
/mnt/hd/contrib/RPMS/libgdal0-1.1.8-2mdk.i586.rpm
/mnt/hd/contrib/RPMS/gdal-1.1.8-2mdk.i586.rpm
/mnt/hd/contrib/RPMS/libgrass5_0-1.0.0-1mdk.i586.rpm
You may want to update your urpmi database
What I do is:
rm synthesis.hdlist2.cz genhdlist .
and update my contrib source. Now the hdlist is in sync.
Rolf
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
