Pat Riehecky wrote:
> On 02/27/2012 09:01 AM, Dmitry Butskoy wrote:
>>>
>>> Can I have you check again with rpmdev-checksig?  The zlib rpm you
>>> listed below is signed by TUV and by SL, perhaps it is only checking 
>>> the
>>> one key.
>>
>> Could you please explain how you sign these packages?
>>
> We are just running rpm --addsign

I've performed some tests, playing with my own gpg-key, and I cannot 
reproduce your behaviour. :(

(All tests are under the currrent SL-6.2 x86_64 system).

Each time I do "rpm --addsign", the old sign is always removed (for 
TUV-signed only, broken twice-signed or not signed at all packages). 
Then, "rpm -K" shows "OK", with only my new gpg (just signed) key.

Could you please perform the similar tests somewhere? I wonder how you 
produce such a signed file(s) in your environment. Such results IMO 
should never happen.


Regards,
Dmitry Butskoy