You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "McDonald, Dan" <Da...@austinenergy.com> on 2008/04/18 15:17:03 UTC

gpg failure on sa-update due to non-cross-certified key

I recently installed Mandriva 2008.1 on one of my spamfilters.  It
includes gpg version 1.4.9.  When I try to run sa-update, I get:
[mcdonalddj@mcdonalddj-dc ~]$ sudo sa-update
Password: 
gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys'
gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys'
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed


When I ran sa-update in debug mode, I see this message:
[1518] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf
[1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz
[1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.sha1
[1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.asc
[1518] dbg: sha1: verification wanted: 129293f2f748a7398442daf97a26e2af387192a6
[1518] dbg: sha1: verification result: 129293f2f748a7398442daf97a26e2af387192a6
[1518] dbg: channel: populating temp content file
[1518] dbg: gpg: populating temp signature file
[1518] dbg: gpg: calling gpg
gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys'
[1518] dbg: gpg: gpg: Signature made Wed 16 Apr 2008 04:28:44 AM CDT using RSA key ID 24F434CE
[1518] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
[1518] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information
[1518] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1
[1518] dbg: gpg: gpg: Can't check signature: general error
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed

Looking at the gnupg faq, this appears to be a problem with the way the key is created.
I was able to run sa-update with the --nogpg option, and sa-compile
worked fine after sa-update ran, but I would like to know the best way
to fix this long term.  Is this a gnupg bug?  or a spamassassin bug?
Or... ?


-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com

Re: gpg failure on sa-update due to non-cross-certified key

Posted by D Hill <d....@yournetplus.com>.

On Fri, 18 Apr 2008 at 10:30 -0500, Dan.McDonald@austinenergy.com confabulated:

> On Fri, 2008-04-18 at 13:51 +0000, D Hill wrote:
>> Re-download a GPG key and import:
>>
>>    wget http://spamassassin.apache.org/updates/GPG.KEY
>>    sa-update --import GPG.KEY
>>
>> This is in the wiki:
>>
>> http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29
>>
>> I had the same thing happen and all is well now.
>
> Ah, thank you.  I dug around the wiki for an hour last night and didn't
> find this article...

A search for the word 'update' on the Wiki is how I found it.

Re: gpg failure on sa-update due to non-cross-certified key

Posted by Vivek Khera <vi...@khera.org>.

On Apr 18, 2008, at 11:30 AM, McDonald, Dan wrote:

>> http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29
>>
>> I had the same thing happen and all is well now.
>
> Ah, thank you.  I dug around the wiki for an hour last night and  
> didn't
> find this article...
>

I cut/pasted the error message that gpg issued from the sa-update -D  
output, and this page was the first or second link in google.

Re: gpg failure on sa-update due to non-cross-certified key

Posted by "McDonald, Dan" <Da...@austinenergy.com>.

On Fri, 2008-04-18 at 13:51 +0000, D Hill wrote:
> Re-download a GPG key and import:
> 
>    wget http://spamassassin.apache.org/updates/GPG.KEY
>    sa-update --import GPG.KEY
> 
> This is in the wiki:
> 
> http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29
> 
> I had the same thing happen and all is well now.

Ah, thank you.  I dug around the wiki for an hour last night and didn't
find this article...

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com

Re: gpg failure on sa-update due to non-cross-certified key

Posted by D Hill <d....@yournetplus.com>.

Re-download a GPG key and import:

   wget http://spamassassin.apache.org/updates/GPG.KEY
   sa-update --import GPG.KEY

This is in the wiki:

http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29

I had the same thing happen and all is well now.

-d

On Fri, 18 Apr 2008 at 08:24 -0500, Dan.McDonald@austinenergy.com confabulated:

> I recently installed Mandriva 2008.1 on one of my spamfilters.  It
> includes gpg version 1.4.9.  When I try to run sa-update, I get:
> [mcdonalddj@mcdonalddj-dc ~]$ sudo sa-update
> Password:
> gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys'
> gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys'
> error: GPG validation failed!
> The update downloaded successfully, but the GPG signature verification
> failed.
> channel: GPG validation failed, channel failed
>
>
> When I ran sa-update in debug mode, I see this message:
> [1518] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf
> [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz
> [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.sha1
> [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.asc
> [1518] dbg: sha1: verification wanted: 129293f2f748a7398442daf97a26e2af387192a6
> [1518] dbg: sha1: verification result: 129293f2f748a7398442daf97a26e2af387192a6
> [1518] dbg: channel: populating temp content file
> [1518] dbg: gpg: populating temp signature file
> [1518] dbg: gpg: calling gpg
> gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys'
> [1518] dbg: gpg: gpg: Signature made Wed 16 Apr 2008 04:28:44 AM CDT using RSA key ID 24F434CE
> [1518] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
> [1518] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information
> [1518] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1
> [1518] dbg: gpg: gpg: Can't check signature: general error
> error: GPG validation failed!
> The update downloaded successfully, but the GPG signature verification
> failed.
> channel: GPG validation failed, channel failed
>
> Looking at the gnupg faq, this appears to be a problem with the way the key is created.
> I was able to run sa-update with the --nogpg option, and sa-compile
> worked fine after sa-update ran, but I would like to know the best way
> to fix this long term.  Is this a gnupg bug?  or a spamassassin bug?
> Or... ?
>
>
> -- 
> Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
> Austin Energy
> http://www.austinenergy.com
>
>