Re: [newbie] Bad signatures in 9.2
On Friday 28 Nov 2003 2:19 pm, Jerry Barton wrote: > On Fri, 28 Nov 2003 15:15:57 + > > Charles A Edwards <[EMAIL PROTECTED]> wrote: > > You will get that error if you are not using ../base for your > > contrib source. > > > > The /contrib/i586/ contains a synthesis.hdlist2.cz and > > the rpms can be installed using such, But, it does not contain a > > list or hdlist as does base so you get the 'invalid list' > > Thanks Charles, > > My original contrib url is > ftp://mirrors.secsup.org/pub/linux/mandrake/Mandrake/9.2/contrib/i586 > path to hdlist: ../../i586/Mandrake/base/hdlist2.cz > (this was the urpmi.addmedia given by easy urpmi on plf) > that path to hdlist was the only /base dir i could find. So as far > as I can tell it was reading the right hdlist. I'll mess around with > it and see. I even tried updating the contrib source or using a > different one and it still gives me that error when installing from > contrib. I'll report back after trying a few things. > > Jerry. Thanks for the information, Charles. I was just about to reply, when I read Jerry's reply to you. I use rediris, but its path to hdlist is the same as the one Jerry gave. I too will experiment over the week-end. Cheers Keith Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Bad signatures in 9.2
On Fri, 28 Nov 2003 15:15:57 + Charles A Edwards <[EMAIL PROTECTED]> wrote: > > You will get that error if you are not using ../base for your contrib > source. > > The /contrib/i586/ contains a synthesis.hdlist2.cz and the > rpms can be installed using such, But, it does not contain a list or > hdlist as does base so you get the 'invalid list' Thanks Charles, My original contrib url is ftp://mirrors.secsup.org/pub/linux/mandrake/Mandrake/9.2/contrib/i586 path to hdlist: ../../i586/Mandrake/base/hdlist2.cz (this was the urpmi.addmedia given by easy urpmi on plf) that path to hdlist was the only /base dir i could find. So as far as I can tell it was reading the right hdlist. I'll mess around with it and see. I even tried updating the contrib source or using a different one and it still gives me that error when installing from contrib. I'll report back after trying a few things. Jerry. -- _||_ Registered linux user #300600 (o_ Registered linux machine # 185855 //\at V_/_ http://counter.li.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Bad signatures in 9.2
On Fri, 28 Nov 2003 19:37:35 + Keith Powell <[EMAIL PROTECTED]> wrote: > I too get the "Mirror uses invalid list try alternative method" > message when installing packages from contrib. I didn't mention it, > though, as I did not want to confuse things even more! You will get that error if you are not using ../base for your contrib source. The /contrib/i586/ contains a synthesis.hdlist2.cz and the rpms can be installed using such, But, it does not contain a list or hdlist as does base so you get the 'invalid list' Charles -- Fortune's real live weird band names #130: Cherry Poppin' Daddies - Mandrake Linux 10.0 on PurpleDragon Kernel-2.6.0-0.1mdkenterprise http://www.eslrahc.com - pgp0.pgp Description: PGP signature
Re: [newbie] Bad signatures in 9.2
On Wednesday 26 Nov 2003 7:48 pm, Dick Gevers wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Wed, 26 Nov 2003 14:18:48 +, Keith Powell > <[EMAIL PROTECTED]> wrote about Re: [newbie] Bad > signatures in > > 9.2: > >I installed the download edition of 9.2 from magazine cover disks, > > but KPPP did not install. So I installed it from the CDs using MCC. > > When I installed it, there was the "bad signature" message, which I > > ignored. I could not understand why there was this message with a > > package which was on the CDs. I then downloaded and installed the > > security updates (which were clear of the error message). Next I > > downloaded and installed a package from "Contrib" and got the error > > message. > > > >Then I downloaded and installed all the other updates. These too > > were clear of the signature error message. > > > >Now, installing packages from the CDs don't give the "bad signature" > >message, but installing packages from "Contrib" do. > > > >I was wondering why the "Contrib" repository was giving the error > >messages with Mandrake9.2, when it didn't with earlier versions. > > Should I try to solve the bad signature message problem, or ignore > > it? That was the reason for my posting. I hadn't seen anyone else > > reporting this happening. > > > >Hope this is a bit clearer. > > Okay clear. There are 2 separate things here: packages on CD for > which the signature checks and packages on the same CD`s for which > the signature does not check. In principle that ought not to be > possible, but, I have the same CD`s and see on Installation CD No. 2: > kdenetwork-kppp-3.1.3-37mdk.i586.rpm > > when I go to /mnt/cdrom/Mandrake/RPMS and > type (as root) > rpm -K *kppp* I get: > kdenetwork-kppp-3.1.3-37mdk.i586.rpm: (sha1) dsa sha1 md5 gpg OK > > so the signature *is* okay. > > If I go into MCC -> Software management -> Software Media Manager -> > Manage Keys I see that CD # 2 has the original MD key # 70771FF3 next > to it. > > So I can only assume that if and when you have bad signature message > that at that time your rpm database was corrupt or the key was not > associated to CD # 2. > > As far as the Contrib & Cooker packages are concerned, I understood > that had been a lot of discussion about those, and it will apparently > not be possible to authenticate them all (this isn`t new, the same > applied to 9.1 packages in these categories). > > However if you look at the information page per rpm in rpmsearch > (e.g. on MandrakeClub) you should see already mention of the key with > which it has been signed, if any and if so which. In the latter case > you can obtain the key as previously described and add it to your > rpm-keyring. If it is not signed at all, you should consider whether > or not you want to install it. If it has a high securety impact for > you, you should not install an unsigned package. > > In such case, PH you might ask the contributor to add his personal > GnuPG signature to the package. > Thanks for the extra information, Dick. I'll work on it over the week-end and see follow your advice. Been too busy the last couple of days to do anything about it. Cheers Keith Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Bad signatures in 9.2
On Wednesday 26 Nov 2003 8:54 am, Jerry Barton wrote: > On Wed, 26 Nov 2003 14:18:48 + > > Keith Powell <[EMAIL PROTECTED]> wrote: > > I was wondering why the "Contrib" repository was giving the error > > messages with Mandrake9.2, when it didn't with earlier versions. > > Should I try to solve the bad signature message problem, or ignore > > it? That was the reason for my posting. I hadn't seen anyone else > > reporting this happening. > > Keith, same thing happens here. I just didn't think much of it since > i got so used to texstar and plf rpms doing it. I too haven't ever > had a signature problem with contrib before until now. That and i > get some kind of "mirror uses invalid list trying alternate method" > message when I install packages from contrib. but so far i haven't > had any that haven't installed. Jerry I too get the "Mirror uses invalid list try alternative method" message when installing packages from contrib. I didn't mention it, though, as I did not want to confuse things even more! It's still there after a contrib "update". Things install OK, so I ignore it. Cheers Keith Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Bad signatures in 9.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 26 Nov 2003 14:18:48 +, Keith Powell <[EMAIL PROTECTED]> wrote about Re: [newbie] Bad signatures in 9.2: >I installed the download edition of 9.2 from magazine cover disks, but >KPPP did not install. So I installed it from the CDs using MCC. When I >installed it, there was the "bad signature" message, which I ignored. I >could not understand why there was this message with a package which >was on the CDs. I then downloaded and installed the security updates >(which were clear of the error message). Next I downloaded and >installed a package from "Contrib" and got the error message. > >Then I downloaded and installed all the other updates. These too were >clear of the signature error message. > >Now, installing packages from the CDs don't give the "bad signature" >message, but installing packages from "Contrib" do. > >I was wondering why the "Contrib" repository was giving the error >messages with Mandrake9.2, when it didn't with earlier versions. Should >I try to solve the bad signature message problem, or ignore it? That >was the reason for my posting. I hadn't seen anyone else reporting this >happening. > >Hope this is a bit clearer. Okay clear. There are 2 separate things here: packages on CD for which the signature checks and packages on the same CD`s for which the signature does not check. In principle that ought not to be possible, but, I have the same CD`s and see on Installation CD No. 2: kdenetwork-kppp-3.1.3-37mdk.i586.rpm when I go to /mnt/cdrom/Mandrake/RPMS and type (as root) rpm -K *kppp* I get: kdenetwork-kppp-3.1.3-37mdk.i586.rpm: (sha1) dsa sha1 md5 gpg OK so the signature *is* okay. If I go into MCC -> Software management -> Software Media Manager -> Manage Keys I see that CD # 2 has the original MD key # 70771FF3 next to it. So I can only assume that if and when you have bad signature message that at that time your rpm database was corrupt or the key was not associated to CD # 2. As far as the Contrib & Cooker packages are concerned, I understood that had been a lot of discussion about those, and it will apparently not be possible to authenticate them all (this isn`t new, the same applied to 9.1 packages in these categories). However if you look at the information page per rpm in rpmsearch (e.g. on MandrakeClub) you should see already mention of the key with which it has been signed, if any and if so which. In the latter case you can obtain the key as previously described and add it to your rpm-keyring. If it is not signed at all, you should consider whether or not you want to install it. If it has a high securety impact for you, you should not install an unsigned package. In such case, PH you might ask the contributor to add his personal GnuPG signature to the package. Regards, =Dick Gevers= -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Encryption is an envelope - the contents are private. iD8DBQE/xQOZwC/zk+cxEdMRAmj/AKCB98v5S0+b+GhiHG+3mHUr9UYjnACgiSR6 IyXG6GniGqAKCJGgfxdXKI8= =VhDI -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Bad signatures in 9.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 25 Nov 2003 08:44:59 +, Keith Powell <[EMAIL PROTECTED]> wrote about Re: [newbie] Bad signatures in 9.2: >> >However, if I try to install anything from the rediris "contrib" >> > mirror, I get the "Invalid Signature" message on each package. But >> > they will install if I ignore the message. I didn't get these >> > errors with 9.1 >Dick, thanks for your reply. The help is appreciated. > >I have now installed all the updates (which took several hours - hence >the delay in replying to you) and have then installed a package from >the CDs. There is still the same "bad signature" message. As I wrote >before, I haven't had this with the CDs from earlier versions. Not >tried installing any more packages from "Contrib" yet. > >So I will now go through all you have suggested and see if it can be >solved. Otherwise I will have to ignore the error messages, but I would >rather not get them! Maybe I`m daft, but I don`t understand what you`re trying to do: you say you have already installed the updates (presumably ignoring the error messages for absebce of sigs.) and now you want to check the signatures *afterward*? I understand it will give a sense of comfort afterward, but the security would be in checking during (or in my previous example before) installing the package. If rpm does not have the sig. in the keyring it must be imported, otherwise the sig. can`t be checked. You asked for the simplest way, so that`s what I gave you, IMO. But you might also manage the keys via MCC --> Software management --> Software media manager--> Manage keys. HTH regards, =Dick Gevers= .> Mandrake visibility? See header <. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Encryption is an envelope - the contents are private. iD8DBQE/w87mwC/zk+cxEdMRAuz6AKCqqq7AnNYXdsi6c9F/M/UWHKAyXwCeMgLR jSPAvxBxz7wnagi7M4QcgtA= =Uuzi -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Bad signatures in 9.2
On Sunday 23 Nov 2003 7:40 pm, Dick Gevers wrote: > On Sun, 23 Nov 2003 09:56:07 +, Keith Powell > > <[EMAIL PROTECTED]> wrote about [newbie] Bad signatures in 9.2: > >However, if I try to install anything from the rediris "contrib" > > mirror, I get the "Invalid Signature" message on each package. But > > they will install if I ignore the message. I didn't get these > > errors with 9.1 > > First of all you might want to check out the errata page. Then you > could use the trusted method (as root) of rpm -K foobar.rpm, which > will tell you if the signature is there or not and valid or not, and > the md5 sum is okay or not. > > If you urpmi packages, any signatures they contain should > automagically be added to the keyring, which is now in a database > managed by rpm, and no longer uses root`s GnuPG keyring. > > Moreover, it might help to update the rpm* packages, which have been > published since 9.2 was distributed, should you not have done so yet. > > Under Mandrake Control Center the keys can be managed via `Software > Manager` - --> `Software Media Manager` --> Manage keys... > > If you use rpm on the console, obtain the key (or export to file from > keyring) and import the key to the rpm-keyring with: rpm --import > foo.bar(.asc). > > HTH > =Dick Gevers= Dick, thanks for your reply. The help is appreciated. I have now installed all the updates (which took several hours - hence the delay in replying to you) and have then installed a package from the CDs. There is still the same "bad signature" message. As I wrote before, I haven't had this with the CDs from earlier versions. Not tried installing any more packages from "Contrib" yet. So I will now go through all you have suggested and see if it can be solved. Otherwise I will have to ignore the error messages, but I would rather not get them! Cheers and thanks again. Keith Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Bad signatures in 9.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, 23 Nov 2003 09:56:07 +, Keith Powell <[EMAIL PROTECTED]> wrote about [newbie] Bad signatures in 9.2: >However, if I try to install anything from the rediris "contrib" mirror, >I get the "Invalid Signature" message on each package. But they will >install if I ignore the message. I didn't get these errors with 9.1 First of all you might want to check out the errata page. Then you could use the trusted method (as root) of rpm -K foobar.rpm, which will tell you if the signature is there or not and valid or not, and the md5 sum is okay or not. If you urpmi packages, any signatures they contain should automagically be added to the keyring, which is now in a database managed by rpm, and no longer uses root`s GnuPG keyring. Moreover, it might help to update the rpm* packages, which have been published since 9.2 was distributed, should you not have done so yet. Under Mandrake Control Center the keys can be managed via `Software Manager` - --> `Software Media Manager` --> Manage keys... If you use rpm on the console, obtain the key (or export to file from keyring) and import the key to the rpm-keyring with: rpm --import foo.bar(.asc). HTH =Dick Gevers= -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Encryption is an envelope - the contents are private. iD8DBQE/wQ0/wC/zk+cxEdMRArWuAKDrJreKuCLp9XTNnZAclpsvv+7SswCgpGAS wfavRXpWz15/toiz0PfNubU= =+MzV -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Bad signatures in 9.2
On Sunday 23 November 2003 09:56, Keith Powell wrote: > However, if I try to install anything from the rediris "contrib" > mirror, I get the "Invalid Signature" message on each package. > But they will install if I ignore the message. I didn't get these > errors with 9.1 > > My query is, are the errors likely to be caused by some file > missing on the cover disks, or is it a known problem with 9.2? I > can't find anything in the archives about it. What do I need to > do to overcome this little problem, or do I just always ignore > it? That's a well known issued with the "Contrib" mirrors. The contrib packages aren't supported by Mandrake and thusly do not contain the signature. You can do two things : 1. Ignore it. As long as the md5sum is OK it doesn't matter. 2. Get the Signature from the server. I don't know how, and don't care, but others on this list know the procedure. HTH Kaj Haulrich. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Bad signatures in 9.2
Greetings all. For family reasons, I have been off the list (and rarely on the computer) for about ten weeks, and have just joined again. I wanted to try Mandrake9.2 so, before spending my hard-earned pension on the package, I have installed it from three magazine cover disks just to test. KPPP wasn't installed, so when I installed it from the CD, I got the error message that the signature was invalid. I ignored the message. I have downloaded and installed all the upgrades and they were without errors. However, if I try to install anything from the rediris "contrib" mirror, I get the "Invalid Signature" message on each package. But they will install if I ignore the message. I didn't get these errors with 9.1 My query is, are the errors likely to be caused by some file missing on the cover disks, or is it a known problem with 9.2? I can't find anything in the archives about it. What do I need to do to overcome this little problem, or do I just always ignore it? Otherwise, I am very impressed with 9.2 and will save up my pennies for the package version!!! Many thanks for any help. Keith Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com