sa-update fails

[Gene Heskett <ge...@verizon.net>]

Greetings;

Even though I have followed the intructions in the error message twice now, I 
still have the same error when sa-update is run:

# /usr/bin/sa-update --allowplugins --gpgkey 
D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com
error: GPG validation failed!
The update downloaded successfully, but it was not signed with a trusted GPG
key.  Instead, it was signed with the following keys:

    BDE9DC10

Perhaps you need to import the channel's GPG key?  For example:

    wget http://spamassassin.apache.org/updates/GPG.KEY
    sa-update --import GPG.KEY

channel: GPG validation failed, channel failed

New secret process guys?  But I note the signature key is the last 8 digits of 
the GPG.KEY my cron job was using.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Kindness is the beginning of cruelty.
		-- Muad'dib [Frank Herbert, "Dune"]

Re: sa-update fails

[Jonas Eckerman <jo...@frukt.org>]

 >> (Please keep it on the list...)

Gene Heskett wrote:

>> Have you checked in the key ring to see that it's really there?

> The command is cat, but what file?

I don't know from memory, but my guess is that reading the man 
pages would give an answer to this.

> gone, but it also isn't updating anything either unless is both silent and 
> damned fast.

It is silent unless there was a problem. To check wether it 
updated anything check the exit code (0 means there was an 
update). You can also check the contents of the update dir to see 
how new the stuff in there is.

Regards
/Jonas
-- 
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: sa-update fails

[Jonas Eckerman <jo...@frukt.org>]

(Please keep it on the list...)

Gene Heskett wrote:

>> Did you also follow the instructions for the channel you are
>> trying to update? They are available at
>> <http://saupdates.openprotect.com/>.

> First time anybody has mentioned that in about 6 months,

Maybe it is, but in that case it was mentioned before that.
Anyway, I just found them through Google and it is the same
address as for the channel so it's not that hard to find.

> I converted teh
> rules_du_jour thing to this per the instructions then.  Is this newer yet?

Is what newer? Newer than what?

The "saupdates.openprotect.com" is newer than RDJ if that's what
you mean. The instruction page isn't very new, but it's possible
that the instructions have been changed recently.

> And the last I knew the official channel was squawking about the bandwidth, 
> threatening to disallow us if we used it on a regular basis.

I've never read anything like that anywhere. Quite the opposite
actually. It is recommended to schedule regular runs of sa-update
for the oficial channel.

Since sa-update uses the DNS system to see if there are any
updates available from the official channel
"updates.spamassassin.org" it really doesn't require a
problematic amount of bandwidth for regular checks.

Also, this really isn't relevant in this case since the
"saupdates.openprotect.com" channel has completely different
content from the "updates.spamassassin.org" channel, so you
really should update the official channel as well.

> Somebody should
> make up their mind as to who's desk has "the buck stops here' sign on it. 

I really don't understand what you mean here.

The SpamAssassin crew are responsible for the official channel
only. Whoever publishes a third party channel is responsible for
that channel.

You are responible for choosing what channels you use.

Personally I would not ever use a third party channel without
first reading the published documentation about the channel and
also checking the actual content to see wetrher it's a channel I
want or not. That said, I do use OpenProtects channel in addition
to the official channel.

> I believe that someplace over the last 72 hours I have done that, pulling the 
> key from the keyserver at MIT IIRC.

Have you checked in the key ring to see that it's really there?

/Jonas
-- 
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: sa-update fails

[Jonas Eckerman <jo...@frukt.org>]

Gene Heskett wrote:

> Even though I have followed the intructions in the error message twice now, I 
> still have the same error when sa-update is run:

Did you also follow the instructions for the channel you are 
trying to update? They are available at 
<http://saupdates.openprotect.com/>.

> # /usr/bin/sa-update --allowplugins --gpgkey 
> D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com

The copmmand line above tries to update the channel 
"saupdates.openprotect.com" wich is not the official channel.

> Perhaps you need to import the channel's GPG key?  For example:
> 
>     wget http://spamassassin.apache.org/updates/GPG.KEY
>     sa-update --import GPG.KEY

Note the important "For example:" in the error message. The 
actual key you need to import is specific to the channel you are 
using. The key in the *example* is probably the key for the 
official channel.

The key used for the "saupdates.openprotect.com" channel, as 
speciefied in the instructions at 
<http://saupdates.openprotect.com/> is 
<http://saupdates.openprotect.com/pub.gpg>.
(Note: OpenProtect recommends you use gpg to fetch their key from 
a key server rather than fetch it with wget.)

Regards
/Jonas

-- 
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/