Can I have you check again with rpmdev-checksig?  The zlib rpm you 
listed below is signed by TUV and by SL, perhaps it is only checking the 
one key.

Pat

On 02/22/2012 11:23 AM, Dmitry Butskoy wrote:
> Hi,
>
> I just downloaded the "scientificlinux/6.2/SRPMS/" source packages, 
> and see that some of them have broken signatures.
>
> Certainly, a lot of sources packages are not signed at all (it seems 
> that it is TUV behaviour), but some of them show me (when "rpm -K"):
>> zlib-1.2.3-27.el6.src.rpm: (sha1) dsa sha1 (MD5) PGP md5 gpg NOT OK
>
> rpm -q gpg-pubkey:
>> gpg-pubkey-fd431d51-4ae0493b
>> gpg-pubkey-2fa658e0-45700c69
>> gpg-pubkey-0608b895-4bd22942
>> gpg-pubkey-f6777c67-45e5b1b9
>> gpg-pubkey-1d1e034b-42bfd0c5
>> gpg-pubkey-a109b1ec-3f6e28d5
>> gpg-pubkey-f21541eb-4a5233e7
>> gpg-pubkey-897da07a-3c979a7f
>> gpg-pubkey-db42a60e-37ea5438
>> gpg-pubkey-37017186-45761324
>> gpg-pubkey-42193e6b-4624eff2
>> gpg-pubkey-849c449f-4cb9df30
>> gpg-pubkey-5568bbb2-4cb9de99
>> gpg-pubkey-192a7d7d-4a5769d0
>> gpg-pubkey-eb10625a-4a576ad9
>> gpg-pubkey-9505722e-4a576b54
>> gpg-pubkey-13a0a2dc-4a576ba5
>> gpg-pubkey-9b1fd350-4a576be4
> I have at least 350 such packages, all of them seem differ with TUV ones.
>
> I don't use mirrorlists, just ftpX.scientificlinux.org urls.
>
> What I have to do with this?
>
>
> Regards,
> Dmitry Butskoy
> http://www.fedoraproject.org/wiki/DmitryButskoy


-- 
Pat Riehecky
Scientific Linux Developer