rpm --nosignature reversed meaning

Tomasz Pala gotar at polanet.pl
Tue Aug 30 13:03:25 CEST 2016

Since we got the answer for this issue - th-admin, please publish separate GPG files.

As for the reversed meaning of --nosignature, assistance required.
Or RFC on enabling them unconditionally, following upstream rpm5.

On Tue, Aug 30, 2016 at 06:56:11 -0400, Jeffrey Johnson wrote:

>>> 	http://pld-devel-en.pld-linux.narkive.com/ZssnN7t4/rpm-va-bad-key-id
>> [...]
>> The same problem, but completely wrong diagnosis.
>> ~: rpm --import PLD-3.0-Th-GPG-keyRSA.asc
>> ~: rpm --import PLD-3.0-Th-GPG-keyDSA.asc 
>> ~: rpm -q gpg-pubkey
>> gpg-pubkey-e4f1bc2d-47b351f0
>> gpg-pubkey-eae6f8b8-47b35206
>> That should be done when importing PLD-3.0-Th-GPG-key.asc - two distinct
>> keys, DSA and RSA. As you see I split them manually and now it verifies
>> correctly, so rpm simply can't handle properly multi-key import.
> Yep: RPM has never handled subkeys nor concatenated armored pubkeys.
> So
> 	Don???t do that!
> (i.e. use separate imports for each pubkey instead) should suffice.

Tomasz Pala <gotar at pld-linux.org>

More information about the pld-devel-en mailing list