On Fri, 5 Oct 2012, SCHAER Frederic wrote:

> Hi,
>
> I'm trying to install some software which requires a jdk, and the latest one is  set to be installed... but installation fails
> because I have enabled gpg signature check, and that rpm isn't signed : is this a bug, or a feature ?
>
> Error :
> # yum install jdk.x86_64
> (...)
> Package jdk-1.6.0_35-fcs.x86_64.rpm is not signed
>
> If this is a feature, do how should security updates be applied using yum ?

It is a "feature".

Sun/Oracle build these packages, not SL,
and they are built with rpm version 3 which cannot be (re)signed 
(there is/was some work around for the 32bit rpms,
but no known solution for the x86_64 packages).

> I would assume it is a security risk to disable gpg check on erratas, isn't it ?

I would agree.
I hand-install these packages with yum --nogpgcheck

-- 
Dr. Andrew C. Aitchison		Computer Officer, DPMMS, Cambridge
[log in to unmask]	http://www.dpmms.cam.ac.uk/~werdna