VirtualBox

Ticket #6903 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

GPG used to sign repomd.xml is different from repomd.xml.key

Reported by: luizluca Owned by:
Priority: major Component: other
Version: VirtualBox 3.2.2 Keywords: repository
Cc: Guest type: other
Host type: other

Description

Hello,

The key used to sign repomd.xml (in repomd.xml.asc) should use the key in repomd.xml.key. However, this is not true. The repomd.xml.key is ID 6DFBCBAE and the repomod.xml.asc was generated using 98AB5139.

This script tries to check the sig using repomd.xml.key.

$ REPO=' http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2/' $ wget "$REPO/repodata/repomd.xml" --2010-06-04 14:38:31--  http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml Resolving proxy.tre-sc.gov.br... 10.9.1.25 Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 951 [text/xml] Saving to: `repomd.xml'

100%[=============================================================================================================>] 951 --.-K/s in 0s

2010-06-04 14:38:31 (53.0 MB/s) - `repomd.xml' saved [951/951]

$ wget "$REPO/repodata/repomd.xml.key" --2010-06-04 14:38:31--  http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml.key Resolving proxy.tre-sc.gov.br... 10.9.1.25 Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 1747 (1.7K) [text/xml] Saving to: `repomd.xml.key'

100%[=============================================================================================================>] 1,747 --.-K/s in 0s

2010-06-04 14:38:31 (104 MB/s) - `repomd.xml.key' saved [1747/1747]

$ wget "$REPO/repodata/repomd.xml.asc" --2010-06-04 14:38:31--  http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml.asc Resolving proxy.tre-sc.gov.br... 10.9.1.25 Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 197 [text/xml] Saving to: `repomd.xml.asc'

100%[=============================================================================================================>] 197 --.-K/s in 0s

2010-06-04 14:38:31 (18.9 MB/s) - `repomd.xml.asc' saved [197/197]

$ gpg --no-default-keyring --keyring /tmp/aaa --import repomd.xml.key gpg: key 6DFBCBAE: "Sun Microsystems, Inc. (xVM VirtualBox archive signing key) <info@…>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $ gpg --no-default-keyring --keyring /tmp/aaa --verify repomd.xml.asc gpg: Signature made Fri Jun 4 11:16:05 2010 BRT using DSA key ID 98AB5139 gpg: Can't check signature: No public key

Change History

comment:1 Changed 4 years ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

Thanks for this report. The repomd.xml.key was fixed.

comment:2 Changed 4 years ago by luizluca

thanks for the very fast fix!

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use