You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apr.apache.org by Kim Leng Goh <ki...@gmail.com> on 2006/07/07 09:02:02 UTC

Problem checking signature of httpd, apr, apr-util rpms

Hi all,

  I encountered some problems with the KEYS at
http://www.apache.org/dist/httpd/KEYS and
http://www.apache.org/dist/apr/KEYS with the "rpm --checksig" or "rpm
-K" command on some of the rpms such as
http://www.apache.org/dist/httpd/binaries/rpm/SRPMS/httpd-2.0.58-1.src.rpm,
http://www.apache.org/dist/apr/binaries/rpm/SRPMS/apr-0.9.12-1.src.rpm,
http://www.apache.org/dist/apr/binaries/rpm/i386/apr-1.2.7-1.i386.rpm

Without importing any public key, I get "NOKEY":

# rpm -K -v httpd-2.0.58-1.src.rpm
httpd-2.0.58-1.src.rpm:
    Header V3 DSA signature: NOKEY, key ID 751d7f27
    Header SHA1 digest: OK (18af314df2009ad54b2b638ea379f306e1a0bf95)
    MD5 digest: OK (20168dc0056ecdccc824a5bdef1c9216)
    V3 DSA signature: NOKEY, key ID 751d7f27


Using http://www.apache.org/dist/apr/KEYS, I extracted lines 513 to
712 of the file into another file "KEYS.2":

# head -712 KEYS|tail -200 > KEYS.3

# rpm --import KEYS.2

# rpm -qa|grep gpg
...
gpg-pubkey-751d7f27-3ddd0dfa
...


and I get "BAD":

# rpm -K -v httpd-2.0.58-1.src.rpm
httpd-2.0.58-1.src.rpm:
    Header V3 DSA signature: BAD, key ID 751d7f27
    Header SHA1 digest: OK (18af314df2009ad54b2b638ea379f306e1a0bf95)
    MD5 digest: OK (20168dc0056ecdccc824a5bdef1c9216)
    V3 DSA signature: BAD, key ID 751d7f27


If I use the key from
http://pgp.mit.edu:11371/pks/lookup?search=0x751D7F27&op=index
(e.g. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x751D7F27), I
get f88341d9 as the key ID. Apparently, f88341d9 should belong to Lars
Eilebrecht.

# rpm --import KEYS.3
# rpm -qa|grep gpg
...
gpg-pubkey-f88341d9-3ddd3c97
...
gpg-pubkey-751d7f27-3ddd0dfa

Regards,
KL