James Knott wrote:
On 11/18/2017 02:42 AM, Andrea Pescetti wrote:
We only sign the .tar.gz archive and signatures are in the .asc file
corresponding to the archive you downloaded. So in your case the
signature could be verified this way:
1. Download
http://archive.apache.org/dist/openoffice/4.1.4/binaries/en-US/Apache_OpenOffice_4.1.4_Linux_x86-64_install-rpm_en-US.tar.gz.asc
2. Run gpg --verify
Apache_OpenOffice_4.1.4_Linux_x86-64_install-rpm_en-US.tar.gz.asc
When I try that, I get:
gpg: Signature made Thu 12 Oct 2017 11:18:37 AM EDT using RSA key ID
791485A8
gpg: Can't check signature: No public key
OK. This is expected if you didn't import the keys. For it to succeed,
download to the same directory:
1.
http://archive.apache.org/dist/openoffice/4.1.4/binaries/en-US/Apache_OpenOffice_4.1.4_Linux_x86-64_install-rpm_en-US.tar.gz.asc
2.
http://archive.apache.org/dist/openoffice/4.1.4/binaries/en-US/Apache_OpenOffice_4.1.4_Linux_x86-64_install-rpm_en-US.tar.gz
3. http://archive.apache.org/dist/openoffice/KEYS
Then run:
$ gpg --import KEYS
$ gpg --verify
Apache_OpenOffice_4.1.4_Linux_x86-64_install-rpm_en-US.tar.gz.asc
This will tell you that the .tar.gz file has a valid signature by Jim,
Release Manager for 4.1.4. It might still complain that it can't verify
that the key belongs to the reported owner, but you will have to trust
the KEYS file for this.
This won't solve your problem with YaST at all, since this applies to
the archive as a whole, not to the contents.
What command do you use for installation? RPM directly, something like
"rpm -Uvh *.rpm"? Or some interface to it? There is probably some
setting that you should disable in order for it to trust "unsigned"
packages (again, ours ARE signed; just, we sign the archive but not
the individual packages).
I use the Yast software software management utility. I create a
repository by copying the contents of the downloaded file to a directory
and then tell the Yast software management to update. I've been using
this method for years and it's never failed before.
I don't think this depends on how we packaged 4.1.4. I would be
surprised if you get something different with 4.1.3, or any earlier
release. Is it possible that some upgrade enforced YaST to reject
unsigned packages?
I see the same error being reported here:
https://github.com/atom/atom/issues/15418 for another project, and being
tracked down to a YaST/OS issue. In that case they could solve it by
signing the package, but in our case we already sign the .tar.gz, just
YaST likely cannot see or handle it. So you will have to disable some
YaST settings to get it to behave as it did in earlier times.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@openoffice.apache.org
For additional commands, e-mail: users-h...@openoffice.apache.org
