On Friday 23 April 2004 13:56, CJ Kucera wrote: > Two links are given for the primary Fedora package signing key, one > at fedora.redhat.com, and the other at the public keyserver > pgp.mit.edu. I've been trying to figure out why the key I've been > using hasn't been validating RPMs properly, and as it turns out, the > key being given at pgp.mit.edu is *different* from the key at > fedora.redhat.com. > > This was a bit confusing, as both keys had the same datestamp and the > same ID, so I've been beating my head against the wall for some time > now. The one hosted at fedora.redhat.com works, the one at > pgp.mit.edu doesn't. Now obviously the one at pgp.mit.edu should > probably be updated somehow to be the correct key, but in the > meantime it'd be great if the website mentioned something along the > lines of, "don't grab the one at pgp.mit.edu because it won't work" > and take that link off of there, so that people like me who generally > *only* use public keyservers won't spend a lot of time confused. :) Could it be that the one on the keyserver has been signed by various folks? Rpm checking against keys that have been signed is a no-no, which is why Fedora offers up a unsigned key on their website for usage. The one on the server is signed to verify validity. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating
Attachment:
pgpOJ7h6lQc1B.pgp
Description: signature
