search

TurboVNC / turbovnc

Main TurboVNC repository
https://TurboVNC.org
GNU General Public License v2.0
761 stars 138 forks source link

RPM: v2.2.6 signed with wrong key? #274

Closed adsche closed 3 years ago

adsche commented 3 years ago

HI all,

thanks for the great work!

Trying to update via the official TurboVNC RPM repo, I get the following error on Centos 7:

warning: /var/cache/yum/x86_64/7/TurboVNC/packages/turbovnc-2.2.6.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 6e7fe9a1: NOKEY
Public key for turbovnc-2.2.6.x86_64.rpm is not installed
turbovnc-2.2.6.x86_64.rpm                                                                                  | 4.4 MB  00:00:05
Retrieving key from https://sourceforge.net/projects/turbovnc/files/VGL-GPG-KEY

The GPG keys listed for the "TurboVNC official RPMs" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

Also manually re-importing the current key (as stated in the official TurboVNC.repo linked here) fails to validate the RPM:

$ sudo rpm --import https://sourceforge.net/projects/turbovnc/files/VGL-GPG-KEY
$ rpm --checksig /var/cache/yum/x86_64/7/TurboVNC/packages/turbovnc-2.2.6.x86_64.rpm
/var/cache/yum/x86_64/7/TurboVNC/packages/turbovnc-2.2.6.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#6e7fe9a1)

(Package and repo caches has been cleared before testing this.)

Is it possible, that a different signing key was used that has not been published yet?

dcommander commented 3 years ago

Should be good now. Sorry about that. Previous versions of TurboVNC were signed with a 1024-bit DSA key, which isn't considered very secure by today's standards. 2.2.6 and later are signed with a new 4096-bit RSA key, but I had neglected to update the key URLs:

https://www.TurboVNC.org/key/VGL-GPG-KEY https://sourceforge.net/projects/turbovnc/files/VGL-GPG-KEY

with the new key. As with VirtualGL and libjpeg-turbo, the new 4096-bit key has now replaced the old key at those URLs, and new URLs:

https://www.TurboVNC.org/key/VGL-GPG-KEY-1024 https://sourceforge.net/projects/turbovnc/files/VGL-GPG-KEY-1024

contain the old key. This allows the old YUM repo file to work properly, as long as you are only trying to install the latest version. If you need to install previous versions using YUM, then download the new YUM repo file from https://turbovnc.org/Downloads/YUM. The new YUM repo file contains the URLs of both the old and new keys.

adsche commented 3 years ago

Excellent, thank you very much, also for being so quick to fix it! Can confirm that it worked without any interventions now on Centos.