#6903 closed defect (fixed)
GPG used to sign repomd.xml is different from repomd.xml.key
| Reported by: | Luiz Angelo Daros de Luca | Owned by: | |
|---|---|---|---|
| Component: | other | Version: | VirtualBox 3.2.2 |
| Keywords: | repository | Cc: | |
| Guest type: | other | Host type: | other |
Description
Hello,
The key used to sign repomd.xml (in repomd.xml.asc) should use the key in repomd.xml.key. However, this is not true. The repomd.xml.key is ID 6DFBCBAE and the repomod.xml.asc was generated using 98AB5139.
This script tries to check the sig using repomd.xml.key.
$ REPO='http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2/' $ wget "$REPO/repodata/repomd.xml" --2010-06-04 14:38:31-- http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml Resolving proxy.tre-sc.gov.br... 10.9.1.25 Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 951 [text/xml] Saving to: `repomd.xml'
100%[=============================================================================================================>] 951 --.-K/s in 0s
2010-06-04 14:38:31 (53.0 MB/s) - `repomd.xml' saved [951/951]
$ wget "$REPO/repodata/repomd.xml.key" --2010-06-04 14:38:31-- http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml.key Resolving proxy.tre-sc.gov.br... 10.9.1.25 Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 1747 (1.7K) [text/xml] Saving to: `repomd.xml.key'
100%[=============================================================================================================>] 1,747 --.-K/s in 0s
2010-06-04 14:38:31 (104 MB/s) - `repomd.xml.key' saved [1747/1747]
$ wget "$REPO/repodata/repomd.xml.asc" --2010-06-04 14:38:31-- http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml.asc Resolving proxy.tre-sc.gov.br... 10.9.1.25 Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 197 [text/xml] Saving to: `repomd.xml.asc'
100%[=============================================================================================================>] 197 --.-K/s in 0s
2010-06-04 14:38:31 (18.9 MB/s) - `repomd.xml.asc' saved [197/197]
$ gpg --no-default-keyring --keyring /tmp/aaa --import repomd.xml.key gpg: key 6DFBCBAE: "Sun Microsystems, Inc. (xVM VirtualBox archive signing key) <info@…>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $ gpg --no-default-keyring --keyring /tmp/aaa --verify repomd.xml.asc gpg: Signature made Fri Jun 4 11:16:05 2010 BRT using DSA key ID 98AB5139 gpg: Can't check signature: No public key
Thanks for this report. The repomd.xml.key was fixed.