id	summary	reporter	owner	description	type	status	component	version	resolution	keywords	cc	guest	host
6903	GPG used to sign repomd.xml is different from repomd.xml.key	Luiz Angelo Daros de Luca		"Hello,

The key used to sign repomd.xml (in repomd.xml.asc) should use the key in repomd.xml.key. However, this is not true. The repomd.xml.key is ID 6DFBCBAE and the repomod.xml.asc was generated using 98AB5139. 

This script tries to check the sig using repomd.xml.key.

$ REPO='http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2/'
$ wget ""$REPO/repodata/repomd.xml""
--2010-06-04 14:38:31--  http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml
Resolving proxy.tre-sc.gov.br... 10.9.1.25
Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 951 [text/xml]
Saving to: `repomd.xml'

100%[=============================================================================================================>] 951         --.-K/s   in 0s      

2010-06-04 14:38:31 (53.0 MB/s) - `repomd.xml' saved [951/951]

$ wget ""$REPO/repodata/repomd.xml.key""
--2010-06-04 14:38:31--  http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml.key
Resolving proxy.tre-sc.gov.br... 10.9.1.25
Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 1747 (1.7K) [text/xml]
Saving to: `repomd.xml.key'

100%[=============================================================================================================>] 1,747       --.-K/s   in 0s      

2010-06-04 14:38:31 (104 MB/s) - `repomd.xml.key' saved [1747/1747]

$ wget ""$REPO/repodata/repomd.xml.asc""
--2010-06-04 14:38:31--  http://download.virtualbox.org/virtualbox/rpm/opensuse/11.2//repodata/repomd.xml.asc
Resolving proxy.tre-sc.gov.br... 10.9.1.25
Connecting to proxy.tre-sc.gov.br|10.9.1.25|:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 197 [text/xml]
Saving to: `repomd.xml.asc'

100%[=============================================================================================================>] 197         --.-K/s   in 0s      

2010-06-04 14:38:31 (18.9 MB/s) - `repomd.xml.asc' saved [197/197]

$ gpg --no-default-keyring --keyring /tmp/aaa --import repomd.xml.key 
gpg: key 6DFBCBAE: ""Sun Microsystems, Inc. (xVM VirtualBox archive signing key) <info@virtualbox.org>"" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
$ gpg --no-default-keyring --keyring /tmp/aaa --verify repomd.xml.asc
gpg: Signature made Fri Jun  4 11:16:05 2010 BRT using DSA key ID 98AB5139
gpg: Can't check signature: No public key
"	defect	closed	other	VirtualBox 3.2.2	fixed	repository		other	other