Heads up: Some packages with Invalid key to be aware of

Hello,

  • OpenMandriva Lx version:
    LX 3

  • Desktop environment (KDE, LXQT…):
    All

  • Description of the issue (screenshots if relevant):
    You’ve seen this before…

  • Relevant informations (hardware involved, software version, logs or output…):
    Basically the packages are systemd package stack, lib64gck1_0, and lib64gcr-base3_1 have Invalid key (aka: Bad signature).

Developers are aware of this a working on it.

You can read more here.

2 Likes

I have the same problem with other packages.

To satisfy dependencies, the following packages are going to be installed:
 Package                        Version      Release       Dist  DEpoch Arch 
(medium "main (Einsteinium3.0-1)")
 lib64mspack0                   0.5          0.1.alpha     omv   2015.0 x86_64 
(medium "main updates (Einsteinium3.0-2)")
 bluez                          5.49         1             omv   2015.0 x86_64 
 dmsetup                        1.02.146     1             omv   2015.0 x86_64 
 evolution                      3.28.0       2             omv   2015.0 x86_64 
 evolution-ews                  3.28.0       1             omv   2015.0 x86_64 
 lib64bluez3                    5.49         1             omv   2015.0 x86_64 
 lib64devmapper-devel           1.02.146     1             omv   2015.0 x86_64 
 lib64devmapper-event-devel     1.02.146     1             omv   2015.0 x86_64 
 lib64devmapper-event1.02       1.02.146     1             omv   2015.0 x86_64 
 lib64devmapper1.02             1.02.146     1             omv   2015.0 x86_64 
 lib64edataserverui1.2_2        3.28.0       3             omv   2015.0 x86_64 
 lib64gnome-autoar0_0           0.2.3        1             omv   2015.0 x86_64 
 lib64icalvcal3                 3.0.3        1             omv   2015.0 x86_64 
 lib64lvm2app2.2                2.02.177     1             omv   2015.0 x86_64 
 lib64lvm2cmd-devel             2.02.177     1             omv   2015.0 x86_64 
 lib64lvm2cmd2.02               2.02.177     1             omv   2015.0 x86_64 
 lib64perl5.20                  5.20.3       3             omv   2015.0 x86_64 
 lvm2                           2.02.177     1             omv   2015.0 x86_64 
 perl                           5.20.3       3             omv   2015.0 x86_64 
 perl-base                      5.20.3       3             omv   2015.0 x86_64 
7.7MB of additional disk space will be used.
24MB of packages will be retrieved.
Proceed with the installation of the 20 packages? (Y/n) Y


The following packages have bad signatures:
/var/cache/urpmi/rpms/bluez-5.49-1-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Thu Mar 22 13:49:19 2018, Key ID e58ab9ce37a7779a))
/var/cache/urpmi/rpms/dmsetup-1.02.146-1-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Sat Mar 17 23:20:07 2018, Key ID 6e5e7d9fab3958db))
/var/cache/urpmi/rpms/evolution-3.28.0-2-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Fri Mar 23 14:17:54 2018, Key ID ddae979e8c79c1fb))
/var/cache/urpmi/rpms/lib64bluez3-5.49-1-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Thu Mar 22 13:49:20 2018, Key ID e58ab9ce37a7779a))
/var/cache/urpmi/rpms/lib64devmapper-devel-1.02.146-1-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Sat Mar 17 23:20:07 2018, Key ID 6e5e7d9fab3958db))
/var/cache/urpmi/rpms/lib64devmapper-event-devel-1.02.146-1-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Sat Mar 17 23:20:08 2018, Key ID 6e5e7d9fab3958db))
/var/cache/urpmi/rpms/lib64devmapper-event1.02-1.02.146-1-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Sat Mar 17 23:20:08 2018, Key ID 6e5e7d9fab3958db))
/var/cache/urpmi/rpms/lib64devmapper1.02-1.02.146-1-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Sat Mar 17 23:20:07 2018, Key ID 6e5e7d9fab3958db))
/var/cache/urpmi/rpms/lib64edataserverui1.2_2-3.28.0-3-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Fri Mar 23 11:20:18 2018, Key ID 1c1f0d5402faf262))
/var/cache/urpmi/rpms/lib64lvm2app2.2-2.02.177-1-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Sat Mar 17 23:20:06 2018, Key ID 6e5e7d9fab3958db))
/var/cache/urpmi/rpms/lib64lvm2cmd-devel-2.02.177-1-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Sat Mar 17 23:20:06 2018, Key ID 6e5e7d9fab3958db))
/var/cache/urpmi/rpms/lib64lvm2cmd2.02-2.02.177-1-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Sat Mar 17 23:20:05 2018, Key ID 6e5e7d9fab3958db))
/var/cache/urpmi/rpms/lib64perl5.20-5.20.3-3-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Thu Mar 22 13:24:06 2018, Key ID f6155fac0c56f380))
/var/cache/urpmi/rpms/lvm2-2.02.177-1-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Sat Mar 17 23:20:03 2018, Key ID 6e5e7d9fab3958db))
/var/cache/urpmi/rpms/perl-5.20.3-3-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Thu Mar 22 13:23:50 2018, Key ID f6155fac0c56f380))
/var/cache/urpmi/rpms/perl-base-5.20.3-3-omv2015.0.x86_64.rpm: Invalid Key ID (OK (RSA/SHA1, Thu Mar 22 13:24:05 2018, Key ID f6155fac0c56f380))
Do you want to continue installation ? (y/N) N

This is a consequence of the ongoing work on ABF regarding the conversion form urpmi to dnf (and rpm5>rpm.org). Developers are aware of the issue and working to resolve.

Officially I can not recommend to anyone to install packages with this error.

However it is almost certain that the packages are OK. (I have installed them myself and have seen no issues so far.)

Edit: Note: What exactly is happening currently is that for some reason when QA moves packages from testing repos to updates repos they are not being signed. So the exact problem in not “bad signatures” as it says but no signature. Again, we are working to resolve.
Edit2: In other words packages in testing repos are not signed and are signed when QA moves the packages to updates repo.

1 Like

Sorry for the inconvenience. I’ve managed to fix rpm signing. Now i’ll start to resign all the packages.

3 Likes

Thanks @TPG.

In progress.
bluez-5.49-1-omv2015.0.x86_64.rpm:
Header V4 RSA/SHA512 signature: OK, key ID bf81de15
Header SHA1 digest: OK (67d701cfff8f1d847453f0ddbed7e32a82c22ed5)
MD5 digest: OK (5c83930462806bb2ebdbe1e70b7dd711)

You need to wait for mirrors to get synced.

1 Like

If you have already already download the packages with bad signatures, you might have to remove them from /var/cache/urpmi/rpms/ to force loading the valid new packages.

2 Likes

Which can be done with:

# urpmi --clean -av

As described here.

2 Likes

Ok, thanks.

1 Like

Thank you. It works.