[suse-security] Problems getting GPG key recognised by RPM

[Eric Seynaeve <eric.seynaeve@xxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,

I'm trying to import a GPG key into RPM for package signature checking. 
However, the ascii armored key doesn't seem to be recognised by RPM, although 
the pseudo-package is created.

The key has ID CD3140CD. Exporting an ascii armored public key gives a file as 
follows:
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.4 (GNU/Linux)

mQGiBD1Giz8RBACwOaLG5S5MhYRA6pg0s/h/MAda/KWR9SIIaA7OGqEITcuQbvG2
lmldBOlC2UZLxM7XZNz3p4xPotgbGJ/a7ZYTOE8aEvYo/oTkyHfqy956f4ujmike
moZ5rn1Zu5ij6ze2Cz0GH1uVV3KvKRp9h+hNvjzm7T4sBFJ9PSwzuC19xwCg/+dF
<snip>
/3QnvaR72kd3dIh47GWnIbS4P8jxHrQhxEELe2pbiEYEGBECAAYFAj1Gi0QACgkQ
t7/qz80xQM3FCwCfVhZ0eIlgJLlTowhkKs4/bWAZJSEAoPqcQpzxF9TX/0hq6DCL
HuBYoivd
=gkzc
- -----END PGP PUBLIC KEY BLOCK-----

This file was imported in to RPM with "rpm --import rainer.asc". No errors 
were reported during import. A list of current public keys known by rpm:
# rpm -qa gpg-pubkey*
gpg-pubkey-807235a8-3e26a1bc
gpg-pubkey-9c800aca-39eef481

# rpm -qi gpg-pubkey-807235a8-3e26a1bc
Name        : gpg-pubkey                   Relocations: (not relocatable)
Version     : 807235a8                          Vendor: (none)
Release     : 3e26a1bc                      Build Date: Wed Jul 21 14:35:30 
2004
Install date: Wed Jul 21 14:35:30 2004      Build Host: localhost
Group       : Public Keys                   Source RPM: (none)
Size        : 0                                License: pubkey
Signature   : (none)
Summary     : gpg(Rainer Lay <rainer.lay@xxxxxxxxxxxxxxxxxxxxxxxxxx>)
Description :
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.1.1 (beecrypt-2.2.0)

mQGiBD1Giz8RBACwOaLG5S5MhYRA6pg0s/h/MAda/KWR9SIIaA7OGqEITcuQbvG2lmldBOlC
2UZLxM7XZNz3p4xPotgbGJ/a7ZYTOE8aEvYo/oTkyHfqy956f4ujmikemoZ5rn1Zu5ij6ze2
Cz0GH1uVV3KvKRp9h+hNvjzm7T4sBFJ9PSwzuC19xwCg/+dFQvXdGtgwcpI10Bx+JQ6z0t0E
<snip>
sLtMLzwY/3QnvaR72kd3dIh47GWnIbS4P8jxHrQhxEELe2pbiEYEGBECAAYFAj1Gi0QACgkQ
t7/qz80xQM3FCwCfVhZ0eIlgJLlTowhkKs4/bWAZJSEAoPqcQpzxF9TX/0hq6DCLHuBYoivd
=gkzc
- -----END PGP PUBLIC KEY BLOCK-----

As can be seen, the information seems to be different. Also, shouldn't the 
name of pseudo package give an indication as to the key id? Not surprisingly, 
a sigcheck of a package fails:
# rpm -K k3b-0.11.12-0.pm.1.i586.rpm
k3b-0.11.12-0.pm.1.i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: 
GPG#cd3140cd)

However, checking the rpm agains the .asc file listed on the site, indicates 
the package seems to be OK.

What am I doing wrong? I found 
http://lists.suse.com/archive/suse-security/2004-Mar/0073.html indicating 
that the problem might be in the signature of the key. Can anybody shed some 
light on this? How do I limit the export of the signature (the exported file 
is larger than other found signature files). I have tried to export the key 
from gpg with --openpgp or --pgp2 but that doesn't seem to influence the 
export.

Thanks,

Eric

- -- 
eric.seynaeve@xxxxxxxxxxx
long GPG key id: B0BDB695395DDBFC
key fingerprint: B207 1531 4D18 7142 7ED2 B835 B0BD B695 395D DBFC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA/mYwsL22lTld2/wRAqF5AJ9Cjtq3o1wEWEoN+tnJvRawpxwT3QCffMSf
NRT4bQleGYfl8b0gEsjGBG8=
=0np0
-----END PGP SIGNATURE-----

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here