Hi, on Vdsm packages downloaded from http://resources.ovirt.org/pub/ovirt-4.0/src/vdsm/ : % gpg --verify vdsm-4.18.13.tar.gz.sig gpg: assuming signed data in 'vdsm-4.18.13.tar.gz' gpg: Signature made Wed 14 Sep 2016 04:38:26 PM CEST using RSA key ID FE590CB7 gpg: Good signature from "oVirt <infra@ovirt.org>" [expired] gpg: Note: This key has expired! Primary key fingerprint: 31A5 D783 7FAD 7CB2 86CD 3469 AB8C 4F9D FE59 0CB7 % gpg --list-keys infra@ovirt.org pub 2048R/FE590CB7 2014-03-30 [expired: 2016-04-02] uid [ expired] oVirt <infra@ovirt.org> Either I download fake packages signed with a cracked expired key, or you sign the packages with an expired key. Not good in any case.
On Mon, Sep 19, 2016 at 10:01 AM, Milan Zamazal <mzamazal@redhat.com> wrote:
Hi, on Vdsm packages downloaded from http://resources.ovirt.org/pub/ovirt-4.0/src/vdsm/ :
% gpg --verify vdsm-4.18.13.tar.gz.sig gpg: assuming signed data in 'vdsm-4.18.13.tar.gz' gpg: Signature made Wed 14 Sep 2016 04:38:26 PM CEST using RSA key ID FE590CB7 gpg: Good signature from "oVirt <infra@ovirt.org>" [expired] gpg: Note: This key has expired! Primary key fingerprint: 31A5 D783 7FAD 7CB2 86CD 3469 AB8C 4F9D FE59 0CB7
% gpg --list-keys infra@ovirt.org pub 2048R/FE590CB7 2014-03-30 [expired: 2016-04-02] uid [ expired] oVirt <infra@ovirt.org>
Either I download fake packages signed with a cracked expired key, or you sign the packages with an expired key. Not good in any case.
Please run gpg --refresh-keys Thanks,
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <https://www.redhat.com/it/about/events/red-hat-open-source-day-2016>
Sandro Bonazzola <sbonazzo@redhat.com> writes:
On Mon, Sep 19, 2016 at 10:01 AM, Milan Zamazal <mzamazal@redhat.com> wrote:
Hi, on Vdsm packages downloaded from http://resources.ovirt.org/pub/ovirt-4.0/src/vdsm/ :
% gpg --verify vdsm-4.18.13.tar.gz.sig gpg: assuming signed data in 'vdsm-4.18.13.tar.gz' gpg: Signature made Wed 14 Sep 2016 04:38:26 PM CEST using RSA key ID FE590CB7 gpg: Good signature from "oVirt <infra@ovirt.org>" [expired] gpg: Note: This key has expired! Primary key fingerprint: 31A5 D783 7FAD 7CB2 86CD 3469 AB8C 4F9D FE59 0CB7
% gpg --list-keys infra@ovirt.org pub 2048R/FE590CB7 2014-03-30 [expired: 2016-04-02] uid [ expired] oVirt <infra@ovirt.org>
Either I download fake packages signed with a cracked expired key, or you sign the packages with an expired key. Not good in any case.
Please run gpg --refresh-keys
I see, it's OK now, thanks!
participants (2)
-
Milan Zamazal -
Sandro Bonazzola