"Untrusted" packages in Fedora repository?

[amturnip]

In Fedora 16, I tried to install the "sharutils" package. Up came an authentication box saying, "The software is not from a trusted source. Do not install..."

Strange! Well, I also have Fedora 15 handy, and for an experiment I tried to install sharutils there. The authentication box said, "Authentication is required to install a signed package".

Is something wrong with my Fedora 16 setup?

Code:

# yum list sharutils
Loaded plugins: langpacks, presto, refresh-packagekit
Available Packages
sharutils.x86_64                      4.11.1-1.fc16                       fedora

# grep http /etc/yum.repos.d/fedora.repo 
#baseurl=http://download.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
#baseurl=http://download.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/debug/
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
#baseurl=http://download.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/source/SRPMS/
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch

[nirik]

Can you attach the exact output from 'yum install sharutils' ?

[John the train]

Don't know if this is totally relevant, but Bob answered a similar query recently, which may help explain/reasure.

http://forums.fedoraforum.org/showthread.php?t=274865

[PabloTwo]

Package checks out OK here..

Code:

BASH:~/-> yumdownloader sharutils
Loaded plugins: langpacks, presto
sharutils-4.11.1-1.fc16.x86_64.rpm
BASH:~/-> rpm -K sharutils-4.11.1-1.fc16.x86_64.rpm 
sharutils-4.11.1-1.fc16.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

Maybe your gpg keys aren't installed correctly? Reinstall:

Code:

# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64

[Chilly Willy]

If I got what you posted, correct...
I've encountered that & when I do it is always associated with a GPG issue, usually a missing one. (unsigned ?) Since it is coming from a trusted repo, I just tell it to give it to me. But I'd NEVER do this on one that I wasn't sure about. That is where one is playing with fire!

[nirik]

You should never see an unsigned package from Fedora repos.

In this case I'm suspecting somehow the f16 key wasn't imported correctly or the like, but would love to see what yum says.

[Chilly Willy]

Quote:

Originally Posted by nirik

You should never see an unsigned package from Fedora repos.

In this case I'm suspecting somehow the f16 key wasn't imported correctly or the like, but would love to see what yum says.

I'm not sure if it was unsigned per say, so I edited my post. but I DO recall it being an issue with it, just not to sure what, as I haven't gotten any for a while now.

[amturnip]

Hmm, the "untrusted source" warning comes from "pkcon install" but not from "yum install". By the way, I get the same "rsa sha1 (md5) pgp md5 OK" output from "rpm -K" as PabloTwo. But I'm not sure it's good news. The manual says that parentheses indicate a failure. On the other hand, the output certainly ends with the word "OK". On the third hand, it mentions md5 twice, once as a failure and once as success.

Code:

# pkcon install sharutils
Simulating install            [=========================]         
Starting                      [=========================]         
Running                       [=========================]         
Resolving dependencies        [=========================]         
Installing                    [=========================]         
Waiting for authentication    [=========================]         
Waiting in queue              [=========================]         
Starting                      [=========================]         
Resolving dependencies        [=========================]         
Downloading packages          [=========================]         
Testing changes               [=========================]         
Installing packages           [=========================]         
Scanning applications         [=========================]         
Message: untrusted-package: The package sharutils from repo fedora is untrusted

[jposey]

Is there a way to list all the untrusted packages? I am wondering why have a warning message if everyone starts ignoring it, kinda like the boy who called wolf one time two many, and the big bad wolf bites the boy.

[nirik]

This might be related to this PackageKit bug:

https://bugzilla.redhat.com/show_bug.cgi?id=771746

I'd suggest folks that see this add info there, or file a new bug on PackageKit.

To see all packages and what key they were signed with:

yum install keychecker

keychecker

[jposey]

Thank you for your help, this is a good way to double check before something happens.

[amturnip]

nirik, I think it is explained by the bug report you pointed out!