Friday, May 15, 2009

» Import Packman package signing keys

Short version:

In order to import and trust the GPG key that signs Packman packages, do as follows (as root):
rpm --import

Long version:

Here is why you might get warnings from RPM when installing packages from the Packman repository, telling you that the signing key is unknown: in our infrastructure, the packages are built on a different host than where they are served for public consumption, and while the RPM files are signed on our build host, the repository metadata is signed on the HTTP/FTP/rsync server. We currently use two different keys for doing that (one for the signing the packages, and another one for signing the repository metadata). But zypper and YaST2 (through their common package management stack in libzypp only support the automatic import of the key that is used for signing the repository metadata (well, after prompting you for doing so, obviously ;)). Hence you also need to import the public key that we are using to sign the RPM files. There are two options on how to do that:
1. use rpm --import:
Execute the following command in a terminal, as root:
rpm --import \

2. install the package rpmkey-packman:
That package is obviously available in the Packman repository, so if you already added the Packman repository to the package management stack, do this as root:
zypper install rpmkey-packman

And if you didn't, use 1-click-install to (optionally) add the repository and install the package, by clicking this link.

Labels: ,


Blogger Andrea Florio said...

install the rpm do not work, the only way to make the warning disappear is import manually the key. i have no idea of the reason


Post a Comment

<< Home