On 11/18/2017 02:42 AM, Andrea Pescetti wrote: > We only sign the .tar.gz archive and signatures are in the .asc file > corresponding to the archive you downloaded. So in your case the > signature could be verified this way: > 1. Download > http://archive.apache.org/dist/openoffice/4.1.4/binaries/en-US/Apache_OpenOffice_4.1.4_Linux_x86-64_install-rpm_en-US.tar.gz.asc > > 2. Run gpg --verify > Apache_OpenOffice_4.1.4_Linux_x86-64_install-rpm_en-US.tar.gz.asc
When I try that, I get: gpg: Signature made Thu 12 Oct 2017 11:18:37 AM EDT using RSA key ID 791485A8 gpg: Can't check signature: No public key > > This will let you verify the GPG signatures; it will probably still > give you warnings and errors if you haven't imported the keys, but we > can discuss this separately in case. > > Now coming to your issue, it seems that the software you are using for > the installation is instead demanding that the individual RPM packages > within the archive are signed, which is not the case (as we sign the > archive as a whole). > > What command do you use for installation? RPM directly, something like > "rpm -Uvh *.rpm"? Or some interface to it? There is probably some > setting that you should disable in order for it to trust "unsigned" > packages (again, ours ARE signed; just, we sign the archive but not > the individual packages). I use the Yast software software management utility. I create a repository by copying the contents of the downloaded file to a directory and then tell the Yast software management to update. I've been using this method for years and it's never failed before. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@openoffice.apache.org For additional commands, e-mail: users-h...@openoffice.apache.org
