Fwd: Re: [suse-security] GPG 1.2.1 and YOU

[Matt Gibson <gothick@xxxxxxxxxxxxxx>]

On Friday 11 Apr 2003 13:33, Lars Ellenberg wrote:
> On Fri, Apr 11, 2003 at 09:25:43AM +0100, Matt Gibson wrote:
> > > what does rpm -v --checksig <some.rpm> tell you?
> >
> > That works fine; it doesn't seem to be the md5 checksum signature, but
> > the pgp signature of the package that's the problem.
>
> rpm -v --checksig _does_ verify the gpg sig, too.

Ah, yes, thank you for that.  I foolishly tested it on a package which
 didn't have a pgp signature, so it only told me about the MD5 sum.  Excuse
 me while I kick myself.

> if it does not tell you about gpg at all, then either there is no gpg
> sig, or it could not find gpg executable/libs (don't know if it uses
> only some lib routines, or the executable).

Now, I've tried it on a package which _does_ have a pgp signature from SuSE,
and it's perfectly happy with that: it displays the gpg output correctly.
So...

> in the later case, the suggested symlink from /usr/bin/gpg to
> /usr/local/bin/gpg could help.

I've now tried this.  Incidentally (and to help anyone searching for this in
the mailing list archive!), the error message I get from Yast is:

"Warning

Cannot check the patch <whatever> because the PGP key is not installed or is
corrupted.  So SuSE cannot guarantee that the packages has been created by
SuSE"

And creating the link from /usr/bin/gpg to /usr/local/bin/gpg has fixed the
problem!  I guess something's hardcoded somewhere, or perhaps for security
reasons YaST uses a more limited path than the normal root path
(/usr/local/bin is in root's path on my system.)

Thanks for your time, people.

Matt

-- 
"It's the small gaps between the rain that count,
 and learning how to live amongst them."
	      -- Jeff Noon

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here