id summary reporter owner description type status component version resolution keywords cc guest host 6903 GPG used to sign repomd.xml is different from repomd.xml.key Luiz Angelo Daros de Luca "Hello, The key used to sign repomd.xml (in repomd.xml.asc) should use the key in repomd.xml.key. However, this is not true. The repomd.xml.key is ID 6DFBCBAE and the repomod.xml.asc was generated using 98AB5139. This script tries to check the sig using repomd.xml.key. $ REPO='http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2/' $ wget ""$REPO/repodata/repomd.xml"" --2010-06-04 14:38:31-- http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml Resolving proxy.tre-sc.gov.br... 10.9.1.25 Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 951 [text/xml] Saving to: `repomd.xml' 100%[=============================================================================================================>] 951 --.-K/s in 0s 2010-06-04 14:38:31 (53.0 MB/s) - `repomd.xml' saved [951/951] $ wget ""$REPO/repodata/repomd.xml.key"" --2010-06-04 14:38:31-- http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml.key Resolving proxy.tre-sc.gov.br... 10.9.1.25 Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 1747 (1.7K) [text/xml] Saving to: `repomd.xml.key' 100%[=============================================================================================================>] 1,747 --.-K/s in 0s 2010-06-04 14:38:31 (104 MB/s) - `repomd.xml.key' saved [1747/1747] $ wget ""$REPO/repodata/repomd.xml.asc"" --2010-06-04 14:38:31-- http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml.asc Resolving proxy.tre-sc.gov.br... 10.9.1.25 Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected. Proxy request sent, awaiting response... 200 OK Length: 197 [text/xml] Saving to: `repomd.xml.asc' 100%[=============================================================================================================>] 197 --.-K/s in 0s 2010-06-04 14:38:31 (18.9 MB/s) - `repomd.xml.asc' saved [197/197] $ gpg --no-default-keyring --keyring /tmp/aaa --import repomd.xml.key gpg: key 6DFBCBAE: ""Sun Microsystems, Inc. (xVM VirtualBox archive signing key) "" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $ gpg --no-default-keyring --keyring /tmp/aaa --verify repomd.xml.asc gpg: Signature made Fri Jun 4 11:16:05 2010 BRT using DSA key ID 98AB5139 gpg: Can't check signature: No public key " defect closed other VirtualBox 3.2.2 fixed repository other other