Home | Content | Search | Navigation | Toolbox | Actions | In other languages

SDB:YOU or RPM Report Problems Verifying Package Signatures

From openSUSE


Contents

[edit]

Symptom

YaST Online Update (YOU) reports it cannot install a package, as it cannot verify the signature or rpm reports NOKEY.

For example, YOU reports:

ERROR(You:RPM has invalid signature.)

or rpm produces messages like:

warning: /tmp/man-pages-1.67-1.10.noarch.rpm: V3 DSA signature: NOKEY, key ID 9c800aca
[edit]

Background: package signatures

The RPM package management system, as used in SUSE LINUX, uses digital signatures [wikipedia] implemented by the GNU Privacy Guard [wikipedia] to ensure that an RPM package file was produced by a trusted source (Novell/SUSE) and that it has not been tampered with (either accidentally, e.g. through data corruption during download or deliberately by a malevolent party).

For more background on the RPM package managment system and its use of digital signatures we recommend the book Maximum RPM.

[edit]

Possible causes

The most common cause for problems related to RPM signatures is a corrupted download. A corrupted download itself has a number of possible causes, like a simple transmission error or a content-altering proxy (e.g. anti-virus software mistaking an RPM for an infected file). This article is not concerned with that case. We assume that you have already ruled out a corrupted download.

In this case, there is a cause that lies deeper: the RPM package management system may have forgotten which public keys are to be trusted for package signatures.

[edit]

Background: RPM versions

Like most Linux software, the RPM package management software is still being developed. There are significant differences in the commands for handling keys and signatures with RPM version 3 (used in SLES8, SLSS and SLOX) and RPM version 4 (used in SLES9, SUSE 9.3 and SUSE Linux 10.x). Please make sure you know which version of RPM your system uses (when in doubt, check with rpm -q rpm) and follow the appropriate sections later on.

[edit]

Analysing the cause (RPM version 4)

The RPM system should know about the keys that Novell/SUSE uses to sign SUSE RPM package files. This can be checked by studying the output of the command

rpm -qa 'gpg-pubkey*' | sort

The correct output depends on the SUSE product.

For SLES9, the output should contain at least these two keys:

gpg-pubkey-3d25d3d9-36e12d04
gpg-pubkey-9c800aca-40d8063e

With SUSE 9.3, one more key needs to be in there:

gpg-pubkey-0dfb3188-41ed929b
gpg-pubkey-3d25d3d9-36e12d04
gpg-pubkey-9c800aca-40d8063e

When the RPM system is not in working order, it will produce a different output which may even be empty.

[edit]

Solution (RPM version 4)

Re-import the Novell/SUSE public keys from trusted media as follows:

  • Mount the first CD of your installation media under /mnt.
  • Run the command
    rpm --import /mnt/gpg-pubkey-3d25d3d9-36e12d04.asc
  • Run the command
    rpm --import /mnt/gpg-pubkey-9c800aca-39eef481.asc
  • If /mnt/gpg-pubkey-0dfb3188-41ed929b.asc exists, run the command
    rpm --import /mnt/gpg-pubkey-0dfb3188-41ed929b.asc
  • Check that RPM has imported the keys correctly by running
    rpm -qa 'gpg-pubkey*' | sort
    and checking that its output now is equal to the expected output as described above.
  • If the rpm line did not produce this output (e.g. its output is empty) please run the command
    rpm --rebuilddb
    and then repeat the key import procedure (rpm --import ..) and recheck.
[edit]

Analysing the cause (RPM version 3)

Here too, the RPM system should know about two keys that Novell/SUSE uses to sign SUSE RPM package files. Where RPM version 4 has commands to deal with keys directly though, RPM version 3 had no such commands yet, so the actual commands are quite different.

When the keys for RPM are in working order, the command

gpg --no-options --no-default-keyring --keyring /usr/lib/rpm/gnupg/pubring.gpg --list-keys

should list both keys in an output similar to

/usr/lib/rpm/gnupg/pubring.gpg
------------------------------
pub 1024D/C58B7883 2002-09-03 UnitedLinux Package Signing Key
sub 2048g/797B62F9 2002-09-03 [expires: 2007-09-02]
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team

pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key
sub 2048g/8495160C 2000-10-19 [expires: 2006-02-12]

When the RPM system is not fine, it will produce a different output which may even be empty.

[edit]

Solution (RPM version 3)

Reimport the Novell/SUSE public keys from trusted media as follows:

  • Mount the first CD of your installation media under /mnt.
  • Run the command
    gpg --no-options --no-default-keyring --keyring /usr/lib/rpm/gnupg/pubring.gpg --import /mnt/pubring.gpg
  • Run
    gpg --no-options --no-default-keyring --keyring /usr/lib/rpm/gnupg/pubring.gpg --list-keys
    again and verify whether the keys are now imported in the keyring that RPM uses.
  • If you get an error message like fatal: /usr/lib/rpm/gnupg/trustdb.gpg: invalid trustdb do
    rm -f /usr/lib/rpm/gnupg/trustdb.gpg
    and redo the key import and verify.
[edit]

Keys per product

Please note that you should always import keys from trusted media whenever possible. The hyperlinks in this section should only be used as a last resort option when trusted media are not available.

[edit]

SLES10 (RC3) and SLED 10 (RC3)

[edit]

SUSE Linux 10.1

[edit]

SUSE Linux 10.0

[edit]

SLES9 and OES/Linux


[edit]

Similar/related problems

There is a similar problem with the verification of the signatures of YOU patch info files rather than RPM package files; this problem is discussed in the article SDB:YOU Reports Problems Verifying Patch Signatures .

Retrieved from "http://en.opensuse.org/SDB:YOU_or_RPM_Report_Problems_Verifying_Package_Signatures"
The content on this and other wiki pages is posted by community members who are not acting for or on behalf of Novell, Inc., whether or not they otherwise have affiliation with Novell.
This site uses the YAML CSS framework.
About openSUSE | Disclaimers | Feedback
This page was last modified 11:01, 27 June 2006. This page has been accessed 5,642 times.

Founded by Novell