Can I have you check again with rpmdev-checksig? The zlib rpm you listed below is signed by TUV and by SL, perhaps it is only checking the one key. Pat On 02/22/2012 11:23 AM, Dmitry Butskoy wrote: > Hi, > > I just downloaded the "scientificlinux/6.2/SRPMS/" source packages, > and see that some of them have broken signatures. > > Certainly, a lot of sources packages are not signed at all (it seems > that it is TUV behaviour), but some of them show me (when "rpm -K"): >> zlib-1.2.3-27.el6.src.rpm: (sha1) dsa sha1 (MD5) PGP md5 gpg NOT OK > > rpm -q gpg-pubkey: >> gpg-pubkey-fd431d51-4ae0493b >> gpg-pubkey-2fa658e0-45700c69 >> gpg-pubkey-0608b895-4bd22942 >> gpg-pubkey-f6777c67-45e5b1b9 >> gpg-pubkey-1d1e034b-42bfd0c5 >> gpg-pubkey-a109b1ec-3f6e28d5 >> gpg-pubkey-f21541eb-4a5233e7 >> gpg-pubkey-897da07a-3c979a7f >> gpg-pubkey-db42a60e-37ea5438 >> gpg-pubkey-37017186-45761324 >> gpg-pubkey-42193e6b-4624eff2 >> gpg-pubkey-849c449f-4cb9df30 >> gpg-pubkey-5568bbb2-4cb9de99 >> gpg-pubkey-192a7d7d-4a5769d0 >> gpg-pubkey-eb10625a-4a576ad9 >> gpg-pubkey-9505722e-4a576b54 >> gpg-pubkey-13a0a2dc-4a576ba5 >> gpg-pubkey-9b1fd350-4a576be4 > I have at least 350 such packages, all of them seem differ with TUV ones. > > I don't use mirrorlists, just ftpX.scientificlinux.org urls. > > What I have to do with this? > > > Regards, > Dmitry Butskoy > http://www.fedoraproject.org/wiki/DmitryButskoy -- Pat Riehecky Scientific Linux Developer