Hi All,
Several of you have reported issues with the F-9 and F-10
NetworkManager updates that were pushed last night (March 9)
related to an incorrect GPG key. The error output looked like:
Public key for NetworkManager-0.7.0.99-3.fc10.i386.rpm is not installed
However the key it was signed with was apparently the proper F9 or F10
GPG key.
This issue has been resolved for F-10 updates, and will be resolved for
F-9 updates relatively soon. In an effort for full discloser, I've
included a description of the events that caused this below.
Late last evening the NetworkManager update was submitted for a push to
fix an issue with the previous update that had caused somewhat of a
regression that seems to impact a large number of users. Rel-Eng signed
the update with the proper key, and pushed it out via Bodhi.
At the same time, Rel-Eng was attempting to get the Fedora 11 Beta packages
signed with a newly generated f11-test key that is much larger in size (this
is related to the Stronger Hashes Feature that is coming with F11). The use
of the larger GPG key requires some different arguments to be passed to rpm
for the signing phase, including using --digest-algo sha256. The signing
script was being reworked to invoke rpm correctly for this Feature, as well
as still work for the current release's GPG keys.
When the F-10 and F-9 updates were signed, a stale copy of the signing
script was inadvertently used. This contained the new F-11 invocation of
rpm with the proper GPG keys, resulting in a validly signed RPM but using
SHA256 as the hash type. The F-9 and F-10 RPM versions could detect that
the updates had been signed, however due to lack of support for the larger
hash type they could not validate the key. The error message reported by
RPM is somewhat confusing.
This morning the F-9 and F-10 updates were resigned properly and the repos
were recreated. This may take some time to filter to all the mirrors, so
please have patience.
We apologize for the inconvenience.
josh, for Fedora Rel-Eng