RPM public key import bug

John Dalbec <jpdalbec@xxxxxxx> · Fri, 27 Feb 2004 11:35:55 -0500

When I rpm --import a public key with the RHL 8.0 legacy-utils RPM packages, the 
version of the gpg-pubkey package is not taken from the key ID.  Instead RPM 
finds the first sig 3 (what does the 3 mean?) and versions the package after the 
key ID from that signature.  In some cases this makes the key useless for 
verifying RPMs since the RPM version doesn't match the key ID.  Is there a 
standard that says the first sig 3 should be from the key itself?

Thanks,

John

[jpdalbec@testing07 jpdalbec]$ mkdir -m 700 gpghome

[jpdalbec@testing07 jpdalbec]$ gpg --homedir gpghome --keyserver pgp.mit.edu 
--recv-keys 54a2acf1

gpg: Warning: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

gpg: keyring `gpghome/secring.gpg' created

gpg: keyring `gpghome/pubring.gpg' created

gpg: requesting key 54A2ACF1 from HKP keyserver pgp.mit.edu

gpg: gpghome/trustdb.gpg: trustdb created

gpg: key 54A2ACF1: public key imported

gpg: Total number processed: 1

gpg:               imported: 1

[jpdalbec@testing07 jpdalbec]$ gpg --homedir gpghome --list-sigs 54a2acf1

gpg: Warning: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

pub  1024D/54A2ACF1 2002-11-25 Warren Togami (Linux) <warren@xxxxxxxxxx>

sig         9B649644 2003-02-09   [User id not found]

sig         BAE32F33 2003-08-24   [User id not found]

sig         67899E2B 2003-02-20   [User id not found]

sig         3ED6F034 2003-05-25   [User id not found]

sig 2       D881FF60 2003-04-23   [User id not found]

sig 2       B8AF1C54 2003-06-03   [User id not found]

sig 2       1B0390E0 2002-11-25   [User id not found]

sig 2       3FF87D98 2003-02-09   [User id not found]

sig 2       BCD241CB 2003-02-13   [User id not found]

sig 2       3C9DB0AA 2003-03-31   [User id not found]

sig 2       E421D146 2003-05-27   [User id not found]

sig 2       C58CF1CB 2003-06-27   [User id not found]

sig 2       E42D547B 2003-08-19   [User id not found]

sig 2       78688BF5 2004-01-08   [User id not found]

sig 2       9D6B4012 2004-01-15   [User id not found]

sig 2       A1906F09 2004-02-14   [User id not found]

sig 3       780C9288 2003-01-30   [User id not found]

sig 3       8E279021 2003-02-22   [User id not found]

sig 3       AA168599 2002-11-25   [User id not found]

sig 3       EE9FC38B 2003-01-24   [User id not found]

sig 3       55F3AA6F 2003-01-24   [User id not found]

sig 3       9B8DEC2A 2003-02-06   [User id not found]

sig 3       D885D953 2003-03-21   [User id not found]

sig 3       8DF56D05 2003-03-27   [User id not found]

sig 3       99F0D661 2003-03-27   [User id not found]

sig 3       C5575542 2003-05-27   [User id not found]

sig 3       54A2ACF1 2002-11-25   Warren Togami (Linux) <warren@xxxxxxxxxx>

sig 3       54A2ACF1 2002-11-25   Warren Togami (Linux) <warren@xxxxxxxxxx>

sub  2048g/4AD75982 2002-11-25 [expires: 2007-11-24]

sig         54A2ACF1 2002-11-25   Warren Togami (Linux) <warren@xxxxxxxxxx>

[jpdalbec@testing07 jpdalbec]$ gpg --homedir gpghome --armor --export 54a2acf1 > tmp
gpg: Warning: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
[jpdalbec@testing07 jpdalbec]$ mkdir rpmroot
[jpdalbec@testing07 jpdalbec]$ rpm --root $(pwd)/rpmroot --import tmp
[jpdalbec@testing07 jpdalbec]$ rpm --root $(pwd)/rpmroot -q gpg-pubkey
gpg-pubkey-780c9288-3e38e07d
[jpdalbec@testing07 jpdalbec]$