Bug 1140

Summary: GPG key symlinks look to be wrong for F10
Product: Fedora Reporter: John Beranek <john>
Component: rpmfusion-nonfree-releaseAssignee: Thorsten Leemhuis <fedora>
Status: RESOLVED WONTFIX    
Severity: normal CC: lxtnow, s.adam
Priority: P5    
Version: 10   
Hardware: All   
OS: GNU/Linux   
namespace:

Description John Beranek 2010-03-31 14:09:55 CEST 
Just tried to install some Rpmfusion packages on a F10 machine (from a local Rpmfusion mirror) and hit a GPG problem.

# yum install kmod-nvidia
...
...
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID b1981b68
rpmfusion-nonfree-updates/gpgkey                         | 1.7 kB     00:00
Importing GPG key 0x8DC43844 "RPM Fusion nonfree repository for Fedora (11) <rpmfusion-buildsys@lists.rpmfusion.org>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora
Is this ok [y/N]:

You see here that Yum is saying the F_11_ key will be imported - however, I didn't stop here (I'm so used to replying 'y<CR>') which gives:

Public key for xorg-x11-drv-nvidia-180.60-1.fc10.i386.rpm is not installed

Further information shows that indeed Yum has installed the F11 pubkey, which is distinct from the F10 key that was used to sign the packages.

# rpm -qpi /var/cache/yum/rpmfusion-nonfree-updates/packages/xorg-x11-drv-nvidia-180.60-1.fc10.i386.rpm |grep "Key ID"
warning: /var/cache/yum/rpmfusion-nonfree-updates/packages/xorg-x11-drv-nvidia-180.60-1.fc10.i386.rpm: Header V3 DSA signature: NOKEY, key ID b1981b68
Signature   : DSA/SHA1, Thu 16 Jul 2009 08:50:57 BST, Key ID 206f8182b1981b68

# rpm -qa|grep pubkey
gpg-pubkey-8dc43844-49c510d6

# ls -l /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora
lrwxrwxrwx 1 root root 47 2010-03-31 10:47 /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora -> RPM-GPG-KEY-rpmfusion-nonfree-fedora-11-primary

[Note, this is true for both free and nonfree repositories]
Comment 1 John Beranek 2010-03-31 14:13:00 CEST 
If I manually perform

# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-10-primary

then the yum command will work.
Comment 2 John Beranek 2010-03-31 14:35:55 CEST 
Further information - I've just realised our local .repo files differ in the following regard.

Ours
====

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora

Yours (from rpmfusion-nonfree-release-10-5.noarch.rpm)
=====

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-$releasever-$basearch


So, our .repo files rely on the symlink being "correct" and pointing to the F10 file, whereas the new .repo files from the release RPM pick out the key file explicitly. So, at least we have a workaround...
Comment 3 Thorsten Leemhuis 2010-04-04 21:22:23 CEST 
F10 is EOL; but everything you need to use it can be found on the servers if you really want to; but the official way only contians the files for F11 and later