On Tue, Sep 25, 2012 at 7:46 AM, Volker Fröhlich <[email protected]> wrote: > On Tue, 2012-09-25 at 09:50 +0000, Müller-Reineke, Matthias wrote: >> Dear SL users, >> >> I want to check the authenticity of a source package which I obtained with >> yum downloader this way: >> >> yumdownloader --source --disablerepo=epel tomcat6 >> >> When I try to verify the authenticity happens this: >> >> ~/> rpm --checksig -v tomcat6-6.0.24-45.el6.src.rpm >> tomcat6-6.0.24-45.el6.src.rpm: >> Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY >> Header SHA1 digest: OK (906acdd5cf193699ef3028d438b12edf7c934d47) >> V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY >> MD5 digest: OK (7ec8af89e12e5ba43ee1a97e848e75a4) >> willfried@gvsl Tue Sep 25 11:32:59am >> ~/> echo $? >> 1 >> >> >> What is missing? > > The public key of the repository. Import it using rpm --import. > > Volker
This public key is normally listed in /etc/yum.repos.e/[repositoryname].repo, and running "yum install package" will ask if you want to import that key when you first use it. I'm in the midst of setting up a new repository for a project right now, and trying to do so carefully for a repository that has lost its old GPG key passphrase.
