[olug] Followup - Fixing GPG Errors on RH Apt-Get

CM Miller cmmiller1973 at yahoo.com
Thu May 29 23:35:01 UTC 2003



>If I run apt-get update or apt-get dist-upgrade I
keep
>getting these errors on RH 8 box:

>Checking GPG signatures...
>error: qt_1%3a3.1.2-2.0.8.0_i386.rpm has invalid or
>unknown GPG key.
>error: kdelibs_6%3a3.1.1a-1.3.8.0_i386.rpm has
invalid
>or unknown GPG key.
>error: kdebase_6%3a3.1.1a-1.3.8.0_i386.rpm has
invalid
>or unknown GPG key.
>error: kdegames_6%3a3.1.1-1.2.8.0_i386.rpm has
invalid
>or unknown GPG key.
>error: kdegraphics_7%3a3.1.1a-1.2.8.0_i386.rpm has
>invalid or unknown GPG key.
>error: xine-lib_1.0.0-0.beta10.0.0.8.0_i386.rpm has
>invalid or unknown GPG key.
>error: kdemultimedia_6%3a3.1.1-1.2.8.0_i386.rpm has
>invalid or unknown GPG key.
>error: xmms_1%3a1.2.7-21.2.8.0_i386.rpm has invalid
or
>unknown GPG key.
>error: kdeaddons_3.1.1-1.2.8.0_i386.rpm has invalid
or
>unknown GPG key.
>error: synaptic_0.32-1.3.8.0_i386.rpm has invalid or
>unknown GPG key.
>E: Sub-process /usr/bin/apt-sigchecker returned an
>error code (10)
>E: Failure running script /usr/bin/apt-sigchecker


Doing a little following up here with the list on a
problem I had with RH 8.0 and apt-get.  I added a KDE
repisotory to my sources file that is out of UNL.  

When getting new rpms, I kept getting the errors
above.  Never seen anything like that before.  

So I used wget to get the following:     
gpg.rexdieter-kde-redhat.key

And issued the folloing commands: 

$  --import gpg.rexdieter-kde-redhat.key

$  --import gpg.rexdieter-kde-redhat.key

This fixed it, but I wasn't sure what the deal was
behind all of this.  So I emailed the contact and he
explained the following: 

[quote]
FYI, 

Signed rpm packages are just a way of
authenticating/proving that rpm 
packages really are from who they say they are. 
Otherwise, anyone 
could 
publish an errata package *claiming* to be from
redhat, when in fact, 
the 
rpm signature would prove otherwise.

Earlier versions of redhat (< rh80) didn't enforce
this or complain 
much if 
using either unsigned packages or signed packages with
unknown keys.  
Also, the method by which one could import the public
keys changed 
too (as 
seen in the differing import procedure below): rpm
version >= 4.1 
incorporated this feature natively, where previous
versions used 
gnupg 
(gpg binary) as a helper application.

By importing a public key, you are allowing this
source of packages 
to be 
"trusted" by your system (ie, these packages from that
source are now 
installable).

Does that help explain things?

-- Rex
[/quote]
 

Hopefully this will clear things up for folks in case
they run into this problem as well. 

-Chris 



=====
GTFG

GAIM ID:  cmmiller1973

__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com


More information about the OLUG mailing list