On Wed, 2012-02-22 at 11:36 -0600, Pat Riehecky wrote:
> Can I have you check again with rpmdev-checksig?  The zlib rpm you 
> listed below is signed by TUV and by SL, perhaps it is only checking the 
> one key.

First of all, sorry for "lot of sources packages are not signed at all"
mistake -- just have not noticed the lower "pgp" string. :(

Well,
> # rpmdev-checksig zlib-1.2.3-27.el6.src.rpm 
> zlib-1.2.3-27.el6.src.rpm: DSA/SHA1 - 192a7d7d -
<[log in to unmask]>

it shows gpg key only, and this key is OK.

> # rpm -K zlib-1.2.3-27.el6.src.rpm 
> zlib-1.2.3-27.el6.src.rpm: (sha1) dsa sha1 (MD5) PGP md5 gpg NOT OK

Here I see that "gpg" seems OK, but "PGP" (and "MD5" ?) not.

Maybe it is due to I run it under Fedora 12 with rpm-4.7.2 ?

BTW, what is a reason to sign already TUV-signed package again by SL
sign (if it is actually a case)?


Regards,
Dmitry Butskoy