[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: Re: [suse-security] GPG 1.2.1 and YOU
On Friday 11 Apr 2003 13:33, Lars Ellenberg wrote:
> On Fri, Apr 11, 2003 at 09:25:43AM +0100, Matt Gibson wrote:
> > > what does rpm -v --checksig <some.rpm> tell you?
> > That works fine; it doesn't seem to be the md5 checksum signature, but
> > the pgp signature of the package that's the problem.
> rpm -v --checksig _does_ verify the gpg sig, too.
Ah, yes, thank you for that. I foolishly tested it on a package which
didn't have a pgp signature, so it only told me about the MD5 sum. Excuse
me while I kick myself.
> if it does not tell you about gpg at all, then either there is no gpg
> sig, or it could not find gpg executable/libs (don't know if it uses
> only some lib routines, or the executable).
Now, I've tried it on a package which _does_ have a pgp signature from SuSE,
and it's perfectly happy with that: it displays the gpg output correctly.
> in the later case, the suggested symlink from /usr/bin/gpg to
> /usr/local/bin/gpg could help.
I've now tried this. Incidentally (and to help anyone searching for this in
the mailing list archive!), the error message I get from Yast is:
Cannot check the patch <whatever> because the PGP key is not installed or is
corrupted. So SuSE cannot guarantee that the packages has been created by
And creating the link from /usr/bin/gpg to /usr/local/bin/gpg has fixed the
problem! I guess something's hardcoded somewhere, or perhaps for security
reasons YaST uses a more limited path than the normal root path
(/usr/local/bin is in root's path on my system.)
Thanks for your time, people.
"It's the small gaps between the rain that count,
and learning how to live amongst them."
-- Jeff Noon
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here