On Tue, Sep 25, 2012 at 7:46 AM, Volker Fröhlich <[log in to unmask]> wrote:
> On Tue, 2012-09-25 at 09:50 +0000, Müller-Reineke, Matthias wrote:
>> Dear SL users,
>>
>> I want to check the authenticity of a source package which I obtained with yum downloader this way:
>>
>> yumdownloader --source  --disablerepo=epel tomcat6
>>
>> When I try to verify the authenticity happens this:
>>
>> ~/> rpm --checksig -v tomcat6-6.0.24-45.el6.src.rpm
>> tomcat6-6.0.24-45.el6.src.rpm:
>>     Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
>>     Header SHA1 digest: OK (906acdd5cf193699ef3028d438b12edf7c934d47)
>>     V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
>>     MD5 digest: OK (7ec8af89e12e5ba43ee1a97e848e75a4)
>> willfried@gvsl Tue Sep 25 11:32:59am
>> ~/> echo $?
>> 1
>>
>>
>> What is missing?
>
> The public key of the repository. Import it using rpm --import.
>
> Volker

This public key is normally listed in
/etc/yum.repos.e/[repositoryname].repo, and running "yum install
package" will ask if you want to import that key when you first use
it. I'm in the midst of setting up a new repository for a project
right now, and trying to do so carefully for a repository that has
lost its old GPG key passphrase.