rpm --nosignature reversed meaning

Tomasz Pala gotar at polanet.pl
Tue Aug 30 12:44:25 CEST 2016

On Tue, Aug 30, 2016 at 06:30:24 -0400, Jeffrey Johnson wrote:

>> But I believe the PLD-Th-GPG issue was discussed in spring 2015 on pld-devel.
> This was the issue I was remembering:
> 	http://pld-devel-en.pld-linux.narkive.com/ZssnN7t4/rpm-va-bad-key-id
> That specific issue was resolved by disabling
> signature verification during ???verify, largely
> to avoid reimporting PLD-Th-GPG which was
> ???unacceptable???.
> Meanwhile, many RSA issues were repaired between
> rpm-5.4.14 and rpm-5.4.15.
> So issues with RSA are ???expected???.

The same problem, but completely wrong diagnosis.

~: rpm --import PLD-3.0-Th-GPG-keyRSA.asc
~: rpm --import PLD-3.0-Th-GPG-keyDSA.asc 
~: rpm -q gpg-pubkey

That should be done when importing PLD-3.0-Th-GPG-key.asc - two distinct
keys, DSA and RSA. As you see I split them manually and now it verifies
correctly, so rpm simply can't handle properly multi-key import.

Please stop guessing about my guessings, just do the commands.

Tomasz Pala <gotar at pld-linux.org>

More information about the pld-devel-en mailing list