Re: Valid GPG Signature?
From: Andreas Tretow (andreas.tretow-ng_at_gmx.de)
Date: 01/10/04
- Next message: Dave: "Re: RH router-firewall reality check needed"
- Previous message: Richard Huelbig: "Valid GPG Signature?"
- In reply to: Richard Huelbig: "Valid GPG Signature?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 10 Jan 2004 21:15:39 +0100
On Sat, 10 Jan 2004 19:40:25 +0000, Richard Huelbig wrote:
> I've installed the Fedore Core from the three ISO images and now I'm
> using up2date to update the entire OS and all packages.
>
> However, when retrieving packages, some of the packages generate a
> message to the effect of:
>
> "The package <packages name> does not have a valid GPG signature.
> It has been tampered with or corrupted. Continue?"
>
> I've been selecting "OK" to continue and the download seems to proceed
> okay; but, I'm wondering what the message is trying to tell me, and what
> is the impact of an invalid GPG signature. Can anyone answer this?
The packages you are downloading are signed with a (private) key and rpm
is trying to verify the packages' integrity (whether they have been
tampered with) and authenticity (whether they are actually from Fedora)
with the appropriate (public) key. For this to work, and to get rid of the
messages, you have to import Fedora's public with
'rpm --import /usr/share/doc/fedora-release-1/RPM-GPG-KEY'
or alternatively
'rpm --import http://fedora.redhat.com/about/security/4F2A6FD2.txt'
For further information see http://fedora.redhat.com/about/security/
and maybe google "public key encryption" on how this encryption and
signature stuff works.
HTH
Andreas
- Next message: Dave: "Re: RH router-firewall reality check needed"
- Previous message: Richard Huelbig: "Valid GPG Signature?"
- In reply to: Richard Huelbig: "Valid GPG Signature?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
