Bug 4925 - Some packages are not signed
Summary: Some packages are not signed
Status: RESOLVED FIXED
Alias: None
Product: Infrastructure
Classification: Unclassified
Component: BuildSystem (show other bugs)
Version: unspecified
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: Sysadmin Team
QA Contact:
URL:
Whiteboard:
Keywords:
: 4926 4932 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-03-13 14:31 CET by Pascal Terjan
Modified: 2012-05-30 09:54 CEST (History)
7 users (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pascal Terjan 2012-03-13 14:31:33 CET 
The scipt only check if there is a BAD signature, but lets packages going through if they have no signature at all.
I don't know the reason why they don't have signature but the action may not have been run at all, given that it seems all packages from one upload, on both arch, are affected.

$ for f in /distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/*.rpm; do rpm -Kv $f | grep Signature > /dev/null || echo $f; done 
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/drakx-installer-stage2-13.93-2.mga2.x86_64.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/java-gnome-javadoc-4.1.1-1.mga2.noarch.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/lib64rpm2-4.9.1.2-21.mga2.x86_64.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/lib64rpmbuild2-4.9.1.2-21.mga2.x86_64.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/lib64rpm-devel-4.9.1.2-21.mga2.x86_64.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/lib64rpmsign2-4.9.1.2-21.mga2.x86_64.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/maven-help-plugin-2.1.1-5.mga2.noarch.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/maven-help-plugin-javadoc-2.1.1-5.mga2.noarch.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/perl-Math-BaseCnv-1.800.0-1.mga2.noarch.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/python-gd-0.56-2.mga2.x86_64.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/python-rpm-4.9.1.2-21.mga2.x86_64.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/rpm-4.9.1.2-21.mga2.x86_64.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/rpm-build-4.9.1.2-21.mga2.x86_64.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/rpm-sign-4.9.1.2-21.mga2.x86_64.rpm
/distrib/bootstrap/distrib/cauldron/x86_64/media/core/release/sarg-2.3.2-1.mga2.x86_64.rpm


$ for f in /distrib/bootstrap/distrib/cauldron/i586/media/core/release/*4.9.1.2-2*.rpm; do rpm -Kv $f | grep Signature > /dev/null || echo $f; done 
/distrib/bootstrap/distrib/cauldron/i586/media/core/release/librpm2-4.9.1.2-21.mga2.i586.rpm
/distrib/bootstrap/distrib/cauldron/i586/media/core/release/librpmbuild2-4.9.1.2-21.mga2.i586.rpm
/distrib/bootstrap/distrib/cauldron/i586/media/core/release/librpm-devel-4.9.1.2-21.mga2.i586.rpm
/distrib/bootstrap/distrib/cauldron/i586/media/core/release/librpmsign2-4.9.1.2-21.mga2.i586.rpm
/distrib/bootstrap/distrib/cauldron/i586/media/core/release/python-rpm-4.9.1.2-21.mga2.i586.rpm
/distrib/bootstrap/distrib/cauldron/i586/media/core/release/rpm-4.9.1.2-21.mga2.i586.rpm
/distrib/bootstrap/distrib/cauldron/i586/media/core/release/rpm-build-4.9.1.2-21.mga2.i586.rpm
/distrib/bootstrap/distrib/cauldron/i586/media/core/release/rpm-sign-4.9.1.2-21.mga2.i586.rpm
Comment 1 Pascal Terjan 2012-03-13 15:09:10 CET 
Key had expired, it should definitely prevent upload.
Comment 2 Manuel Hiebel 2012-03-13 15:55:12 CET 
*** Bug 4926 has been marked as a duplicate of this bug. ***

CC: (none) => junk_no_spam

Frédéric "LpSolit" Buclin 2012-03-13 17:16:40 CET

CC: (none) => LpSolit

Comment 3 Manuel Hiebel 2012-03-13 21:50:30 CET 
*** Bug 4932 has been marked as a duplicate of this bug. ***

CC: (none) => smiling.diego

Comment 4 Frédéric "LpSolit" Buclin 2012-04-20 16:20:01 CEST 
*** Bug 5506 has been marked as a duplicate of this bug. ***

CC: (none) => thierry.vignaud

Comment 5 roger bunivot 2012-05-28 23:13:17 CEST 
Good evening,
I was trying to update mageia 1 to mageia 2
the process stop because of unsigned package:
/var/cache/urpmi/rpms/python-gd-0.56-2.mga2.i586.rpm: Signature absente (OK ((none)/var/cache/urpmi/rpms/python-gd-0.56-2.mga2.i586.rpm: Signature absente (OK ((none)

I removed python-gd than the update could continue

Thank a lot for this distribution seems very nice

CC: (none) => roger.bunivot
Status: NEW => REOPENED

Bit Twister 2012-05-29 00:03:18 CEST

CC: junk_no_spam => (none)

Comment 6 Dave Hodgins 2012-05-29 09:25:06 CEST 
I guess this is one package that was never installed by a qa
member, during qa testing.

I've posted a request on the developers mailing list asking
for someone there to check and see how many packages are in
Core Release without signatures.

CC: (none) => davidwhodgins

Comment 7 Thomas Backlund 2012-05-29 10:30:52 CEST 
I'm currently checking primary mirror and will resign packages with missing signatures

CC: (none) => tmb

Comment 8 Thomas Backlund 2012-05-29 11:50:57 CEST 
Only theese packages (and their debug and srpms) were unsigned:

java-gnome-javadoc-4.1.1-1.mga2
maven-help-plugin-2.1.1-5.mga2
maven-help-plugin-javadoc-2.1.1-5.mga2
python-gd-0.56-2.mga2
sarg-2.3.2-1.mga2

They are now signed in Mageia 2 and Cauldron and should show up on mirrors soon

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 9 Dave Hodgins 2012-05-29 19:56:53 CEST 
Thanks Thomas.

Did you check Nonfree and Tainted as well?

Will the signed rpms go to Release, Updates, or Updates Testing?

If they are going to Release, I'm not sure if mgaapplet will update the
list of available rpms.  We may have to get everyone who has already
installed to run urpmi --auto-update, to get the updated lists.
Comment 10 roger bunivot 2012-05-30 09:54:43 CEST 
Thank you a lot people to be so reactive.
I'm sorry I don't have the knowledge to help you more.
I updated three computerd this week end from Mandriva to mageia 1 then to mageia 2 and everything went pretty smoothly.
You did a very good job, thanks a lot.
Note You need to log in before you can comment on or make changes to this bug.