[Glastonbury] jackd

Ian Dickinson i.j.dickinson at gmail.com
Wed Jan 5 12:46:17 GMT 2005


Hi Maurice,
Most sites that publish RPM's and other packages also publish a secure
key so that you can be sure that the package you're installing is the
one they published and digitally signed, not one that someone else has
tampered with. You need to tell RPM about this key, so that it can
check the package before installing it. If you don't have a key for a
signed package, you get the warning you saw.

What you need to do:
* go to the web site for the package publisher, and find their GPG
key. It's typically named something like RPM-GPG-KEY.txt, and should
be pretty visible.

* download the key to your system by clicking 'save as' in firefox, or use wget

* as root, import the key into GPG and RPM:
rpm --import the.key.file.txt
gpg --import the.key.file.txt

Now you shouldn't get the warning, and you can be sure you are getting
genuine packages.

Btw, if you were able to begin the process of installing an RPM direct
from firefox, it suggests you are running as superuser (root)
normally. It's generally not a good idea to do this: better to run as
a normal user, and only su to root as and when you need to do
something that a non-privileged user can't do.

hth,
Ian

On Wed, 5 Jan 2005 11:21:15 +0000, maurice <mail at mauricebutler.co.uk> wrote:
> Rosegarden mentioned xsynth so I went to download it. The firefox brouser was
> also eager not just to download but to install the rpm package all by itself
> which I thought was wonderful. Well, of course I did:-)
> 
> However, and there always seems to be a "however" with Linux,  I got some
> warnings:
> 
> Invalid Signature
> Missing Key
> . . . . NOT OK
> 
> So I aborted the down load. From your collective knowledge and wisdom could
> you advise me if I was right to abort and whether such warnings were right to
> be heeded.
> 
> Thanks once again
> Maurice



More information about the Glastonbury mailing list