-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John Dalbec wrote:
> When I rpm --import a public key with the RHL 8.0 legacy-utils RPM
> packages, the version of the gpg-pubkey package is not taken from the key
> ID.
Like Michael said, you're running into an rpm bug. See here:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90952
To me, this is a reason that the gpg functions should have remained in
gpg and not rolled into rpm itself. This bug has existed for several
versions now (rh{8.0,9}, fc1) and doesn't seem like a high priority to
fix. (Anyone know if it's fixed in FC2 testing?)
> Instead RPM finds the first sig 3 (what does the 3 mean?)
The 3 marks how carefully the signer has checked the key. gpg allows
for 4 levels and describes them as:
(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
> Is there a standard that says the first sig 3 should be from the key
> itself?
Not that I know of. I think rpm is just broken here. If you want to
look though, the spec to read would be the OpenPGP spec, RFC2440.
There is a draft of a successor to that which might have something
relevant also, I think that's named 2440-bis, but you'll have to
google to confirm, my memory isn't great and it's way too early for me
to be thinking anyway.
- --
Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
Drugs may lead to nowhere, but at least it's the scenic route.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.
iD8DBQFAP3Xpuv+09NZUB1oRAuZbAKDeZiOrVqZDUrRHY5loJD6vujEZ7gCfZwXc
mdqNMe5qS1LAkBC+9vVTqSc=
=vnQC
-----END PGP SIGNATURE-----
