id,summary,reporter,owner,description,type,status,component,version,resolution,keywords,cc,guest,host
6903,GPG used to sign repomd.xml is different from repomd.xml.key,Luiz Angelo Daros de Luca,,"Hello,

The key used to sign repomd.xml (in repomd.xml.asc) should use the key in repomd.xml.key. However, this is not true. The repomd.xml.key is ID 6DFBCBAE and the repomod.xml.asc was generated using 98AB5139. 

This script tries to check the sig using repomd.xml.key.

$ REPO='http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2/'
$ wget ""$REPO/repodata/repomd.xml""
--2010-06-04 14:38:31--  http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml
Resolving proxy.tre-sc.gov.br... 10.9.1.25
Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 951 [text/xml]
Saving to: `repomd.xml'

100%[=============================================================================================================>] 951         --.-K/s   in 0s      

2010-06-04 14:38:31 (53.0 MB/s) - `repomd.xml' saved [951/951]

$ wget ""$REPO/repodata/repomd.xml.key""
--2010-06-04 14:38:31--  http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml.key
Resolving proxy.tre-sc.gov.br... 10.9.1.25
Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 1747 (1.7K) [text/xml]
Saving to: `repomd.xml.key'

100%[=============================================================================================================>] 1,747       --.-K/s   in 0s      

2010-06-04 14:38:31 (104 MB/s) - `repomd.xml.key' saved [1747/1747]

$ wget ""$REPO/repodata/repomd.xml.asc""
--2010-06-04 14:38:31--  http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml.asc
Resolving proxy.tre-sc.gov.br... 10.9.1.25
Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 197 [text/xml]
Saving to: `repomd.xml.asc'

100%[=============================================================================================================>] 197         --.-K/s   in 0s      

2010-06-04 14:38:31 (18.9 MB/s) - `repomd.xml.asc' saved [197/197]

$ gpg --no-default-keyring --keyring /tmp/aaa --import repomd.xml.key 
gpg: key 6DFBCBAE: ""Sun Microsystems, Inc. (xVM VirtualBox archive signing key) <info@virtualbox.org>"" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
$ gpg --no-default-keyring --keyring /tmp/aaa --verify repomd.xml.asc
gpg: Signature made Fri Jun  4 11:16:05 2010 BRT using DSA key ID 98AB5139
gpg: Can't check signature: No public key
",defect,closed,other,VirtualBox 3.2.2,fixed,repository,,other,other