Hi Nicholas, Run a 'rpm --checksig package'. If it says something about missing keys, then you don't have the public key of whoever signed the package. You should do a 'gpg --keyserver www.mandrakesecure.net --recv-keys keyid' where keyid is the missing key id (just the stuff right after # please). If gpg doesn't complain, run 'rpm --checksig pagkage' again. Should be ok this time.
Note that depending on your level of paranoia, simply trusting the keyserver might not be enough. Try to check by other means that the key is what it's supposed to be. In theory (could someone from within MandrakeSoft confirm, refute or provide a solution for this please?) one could create a gpg identity with name and email addresses such that others would think was a legitimate packager of MandrakeSoft, upload it to mandrakesecure.net keyserver and then build trojaned (or whatever) packages, sign them with the key and upload them to a public (compromised) server. Then the victims would do a rpm --checksig on it, see that they miss the key and then get it. RPM would be happy; the package was indeed signed with the key. The thing is, you see, that a valid gpg signature provides little security if you don't check that the key really belongs to the person / organization it claims to. Here's the keyserver www interface address: http://www.mandrakesecure.net/cks/ On Tue, 2002-11-05 at 18:11, Nicolas VERITE wrote: > When installing a (set of) pakages, > sometimes rpmdrake (or grpmi I don't know anymore) > tells me something like : > > " > package signature is invalid > > no GPG signature in package > " > > Is it safe to install it ? > What do I risk ? -- Mikko Lipasti Polarcom Consulting Oy :: [EMAIL PROTECTED] :: +358 (0)40 5590 988
signature.asc
Description: This is a digitally signed message part
