You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "McDonald, Dan" <Da...@austinenergy.com> on 2008/04/18 15:17:03 UTC
gpg failure on sa-update due to non-cross-certified key
I recently installed Mandriva 2008.1 on one of my spamfilters. It
includes gpg version 1.4.9. When I try to run sa-update, I get:
[mcdonalddj@mcdonalddj-dc ~]$ sudo sa-update
Password:
gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys'
gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys'
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
When I ran sa-update in debug mode, I see this message:
[1518] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf
[1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz
[1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.sha1
[1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.asc
[1518] dbg: sha1: verification wanted: 129293f2f748a7398442daf97a26e2af387192a6
[1518] dbg: sha1: verification result: 129293f2f748a7398442daf97a26e2af387192a6
[1518] dbg: channel: populating temp content file
[1518] dbg: gpg: populating temp signature file
[1518] dbg: gpg: calling gpg
gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys'
[1518] dbg: gpg: gpg: Signature made Wed 16 Apr 2008 04:28:44 AM CDT using RSA key ID 24F434CE
[1518] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
[1518] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information
[1518] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1
[1518] dbg: gpg: gpg: Can't check signature: general error
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
Looking at the gnupg faq, this appears to be a problem with the way the key is created.
I was able to run sa-update with the --nogpg option, and sa-compile
worked fine after sa-update ran, but I would like to know the best way
to fix this long term. Is this a gnupg bug? or a spamassassin bug?
Or... ?
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: gpg failure on sa-update due to non-cross-certified key
Posted by D Hill <d....@yournetplus.com>.
On Fri, 18 Apr 2008 at 10:30 -0500, Dan.McDonald@austinenergy.com confabulated:
> On Fri, 2008-04-18 at 13:51 +0000, D Hill wrote:
>> Re-download a GPG key and import:
>>
>> wget http://spamassassin.apache.org/updates/GPG.KEY
>> sa-update --import GPG.KEY
>>
>> This is in the wiki:
>>
>> http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29
>>
>> I had the same thing happen and all is well now.
>
> Ah, thank you. I dug around the wiki for an hour last night and didn't
> find this article...
A search for the word 'update' on the Wiki is how I found it.
Re: gpg failure on sa-update due to non-cross-certified key
Posted by Vivek Khera <vi...@khera.org>.
On Apr 18, 2008, at 11:30 AM, McDonald, Dan wrote:
>> http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29
>>
>> I had the same thing happen and all is well now.
>
> Ah, thank you. I dug around the wiki for an hour last night and
> didn't
> find this article...
>
I cut/pasted the error message that gpg issued from the sa-update -D
output, and this page was the first or second link in google.
Re: gpg failure on sa-update due to non-cross-certified key
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Fri, 2008-04-18 at 13:51 +0000, D Hill wrote:
> Re-download a GPG key and import:
>
> wget http://spamassassin.apache.org/updates/GPG.KEY
> sa-update --import GPG.KEY
>
> This is in the wiki:
>
> http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29
>
> I had the same thing happen and all is well now.
Ah, thank you. I dug around the wiki for an hour last night and didn't
find this article...
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: gpg failure on sa-update due to non-cross-certified key
Posted by D Hill <d....@yournetplus.com>.
Re-download a GPG key and import:
wget http://spamassassin.apache.org/updates/GPG.KEY
sa-update --import GPG.KEY
This is in the wiki:
http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29
I had the same thing happen and all is well now.
-d
On Fri, 18 Apr 2008 at 08:24 -0500, Dan.McDonald@austinenergy.com confabulated:
> I recently installed Mandriva 2008.1 on one of my spamfilters. It
> includes gpg version 1.4.9. When I try to run sa-update, I get:
> [mcdonalddj@mcdonalddj-dc ~]$ sudo sa-update
> Password:
> gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys'
> gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys'
> error: GPG validation failed!
> The update downloaded successfully, but the GPG signature verification
> failed.
> channel: GPG validation failed, channel failed
>
>
> When I ran sa-update in debug mode, I see this message:
> [1518] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf
> [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz
> [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.sha1
> [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.asc
> [1518] dbg: sha1: verification wanted: 129293f2f748a7398442daf97a26e2af387192a6
> [1518] dbg: sha1: verification result: 129293f2f748a7398442daf97a26e2af387192a6
> [1518] dbg: channel: populating temp content file
> [1518] dbg: gpg: populating temp signature file
> [1518] dbg: gpg: calling gpg
> gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys'
> [1518] dbg: gpg: gpg: Signature made Wed 16 Apr 2008 04:28:44 AM CDT using RSA key ID 24F434CE
> [1518] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
> [1518] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information
> [1518] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1
> [1518] dbg: gpg: gpg: Can't check signature: general error
> error: GPG validation failed!
> The update downloaded successfully, but the GPG signature verification
> failed.
> channel: GPG validation failed, channel failed
>
> Looking at the gnupg faq, this appears to be a problem with the way the key is created.
> I was able to run sa-update with the --nogpg option, and sa-compile
> worked fine after sa-update ran, but I would like to know the best way
> to fix this long term. Is this a gnupg bug? or a spamassassin bug?
> Or... ?
>
>
> --
> Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
> Austin Energy
> http://www.austinenergy.com
>
>