SCIENTIFIC-LINUX-USERS Archives

September 2020

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: osg-3.4 actually used in SL-8 not signed by OSG
From:
Patrick Riehecky <[log in to unmask]>
Reply To:
Patrick Riehecky <[log in to unmask]>
Date:
Tue, 8 Sep 2020 13:42:57 +0000
Content-Type:
text/plain
Parts/Attachments:
text/plain (1 lines) 
Hello,



I believe you should report this to the OSG folks: 

https://support.opensciencegrid.org/helpdesk/tickets/new



Pat



On Sun, 2020-09-06 at 13:28 +0000, Charles Elsaesser wrote:

> Ss written on page

> https://opensciencegrid.org/docs/release/supported_platforms/

> package

> /var/cache/yum/x86_64/7/osg/packages/osg-release-3.4-

> 9.osg34.el7.noarch.rpm

> downloaded using

> yum install osg-release on SL-8

> is not signed by OSG

> 

> So when installing osg-release on SL-8 , following sequence is

> printed

> 

> Mise à jour :

>  osg-release                          

> noarch                           3.4-

> 9.osg34.el7                           osg                           

> 12 k

> 

> Résumé de la transaction

> =====================================================================

> =====================================================================

> ============

> Mettre à jour  1 Paquet

> 

> Taille totale  : 12 k

> Is this ok [y/d/N]: y

> Downloading packages:

> attention : /var/cache/yum/x86_64/7/osg/packages/osg-release-3.4-

> 9.osg34.el7.noarch.rpm: Entête V4 DSA/SHA1 Signature, clé ID

> 824b8603: NOKEY

> Récupération de la clé à partir de file:///etc/pki/rpm-gpg/RPM-GPG-

> KEY-OSG

> Importation de la clef GPG 0x824B8603 :

> ID utilisateur : « OSG Software Team (RPM Signing Key for Koji

> Packages) <[log in to unmask]> »

> Empreinte      : 6459 d9d2 aaa9 ab67 a251 fb44 2110 b1c8 824b 8603

> Paquet         : osg-release-3.4-8.el7.noarch (@repos)

> Provient de    : /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG

> Est-ce correct [o/N] : 

> 

> 

> Fingerprint is different from key announced on

> https://opensciencegrid.org/docs/release/signing/

> 

> The OSG Packaging Signing Key¶

>  

> Location     /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG

> Download     UW-Madison, GitHub

> Fingerprint     6459 !D9D2 AAA9 AB67 A251 FB44 2110 !B1C8 824B 8603

> Key ID     824b8603

> 

> Do the upper or lower cases on GPG-fingerprints have no importance ?

> 

> Practically can the downloaded package

> /var/cache/yum/x86_64/7/osg/packages/osg-release-3.4-

> 9.osg34.el7.noarch.rpm

> be trusted?

> 

> Thank you for you advices

> 

> Charles

ATOM RSS1 RSS2