[Triumf-linux-managers] Failing security updates - new SL signing
keys
Kelvin Raywood
kray at triumf.ca
Tue Jul 21 14:28:05 PDT 2009
This is an important announcement for all users of Scientific Linux.
Security updates to all versions of SL-4 and SL-5 are now signed with
new signing keys. This causes updates to fail on systems that have
have signature checking enabled and have not imported the public-key
component of the new keys. This is the case on all systems installed
from a TRIUMF kickstart except for SL-5.3.
Since updates are now failing, it is impossible for me to push out an
update to a triumf rpm that would fix the problem. Therefore you must
import the keys manually on all your SL systems (pre 5.3). Some systems
will have received an update to the rpm sl-release and therefore have
the keys in "/etc/pki/gpg/keys" but not yet imported into the rpm
database. In case your system has not yet received the sl-release
update, I have put the keys on mirror.triumf.ca and they can be imported
directly from there.
On all SL-4 systems do:
rpm --import http://mirror.triumf.ca/SL/keys/RPM-GPG-KEY-sl{,4}
On SL 5.0, 5.1 and 5.2 systems do:
rpm --import http://mirror.triumf.ca/SL/keys/RPM-GPG-KEY-sl{,5}
Applying this to SL-5.3 does not hurt, so if it is inconvenient to
discriminate, then just go ahead and import the keys on all your SL systems.
Feel free to contact me if updates are failing on a system that you manage.
More Info
The public-key components of the keys were added to the "sl-release" rpm
last week. The paths to the keys used by a repository are specified in
the definition of that repository in file with a ".repo" extenstion in
"/etc/yum.repos.d/". Thus when new keys are added, the .repo files need
to be modified so that they keys will be automatically installed.
The definitions of the SL yum-repositories were updated through the rpm
"yum-conf". The maintainers of Scientific Linux did not take into
account the case the if the yum repo files have been locally modified,
then the new versions of the repo files are installed with the extension
".rpmnew". This is a feature rpm to ensure that modified configuration
files are not overwritten. However, by default signature checking is
disabled in Scientific Linux. So to enable signature-checking, the
.repo files need to be modified which means that the .repo files do not
get the path to the new keys and hence updates fail.
Kel Raywood
Core Computing and Networking
TRIUMF
More information about the Triumf-linux-managers
mailing list