On Wednesday 19 August 2009, Karsten Bräckelmann wrote: >> > General advice: Post the error messages. Do a debug run. Post the >> > relevant parts of the debug info. >> > >> > Gene -- with your headstrong, infamous around here user setup, you >> > should first check exactly that -- users. Which one runs the cron job? >> > Which one do you sudo to? And which one imported the GPG key? >> >> Thanks for the complement. I have studied on trying to do it right for >> almost 75 years now. > >And yet you're doing it different than anyone else... ;) > Because I run as root, I wanted to remove the possibility of an email root exploit, until I actually read it with kmail, all email is handled by the user gene, aka me.
>> [25964] dbg: gpg: calling gpg >> [25964] dbg: gpg: gpg: Signature made Tue 18 Aug 2009 03:24:59 AM EDT >> using DSA key ID 6C6191E3 [25964] dbg: gpg: [GNUPG:] SIG_ID >> XMBVEC+9EnYV7uMWvdrn/1H/+Hw 2009-08-18 1250580299 [25964] dbg: gpg: >> [GNUPG:] GOODSIG DC85341F6C6191E3 Justin Mason Signing Key (Code Signing >> Only) <signing...@jmason.org> [25964] dbg: gpg: gpg: Good signature from >> "Justin Mason Signing Key (Code Signing Only) <signing...@jmason.org>" >> [25964] dbg: gpg: [GNUPG:] VALIDSIG >> 8D25B5E91DAF0F715F60B588DC85341F6C6191E3 2009-08-18 1250580299 0 3 0 17 2 >> 00 8D25B5E91DAF0F715F60B588DC85341F6C6191E3 >> [25964] dbg: gpg: [GNUPG:] TRUST_UNDEFINED >> [25964] dbg: gpg: gpg: WARNING: This key is not certified with a trusted >> signature! [25964] dbg: gpg: gpg: There is no indication that the >> signature belongs to the owner. [25964] dbg: gpg: Primary key >> fingerprint: 8D25 B5E9 1DAF 0F71 5F60 B588 DC85 341F 6C61 91E3 [25964] >> dbg: gpg: found signature made by key >> 8D25B5E91DAF0F715F60B588DC85341F6C6191E3 [25964] dbg: gpg: key id >> 6C6191E3 is not release trusted > > ^^^^^^^^^^^^^^^^^^^ >You failed to provide the obligatory --gpgkey 6C6191E3 option. That key is available at the location given in the invocation: #> su gene -c "/usr/bin/sa-update -D --channelfile ~/.spamassassin/channels.txt --gpghomedir /var/lib/spamassassin/keys" >> channel: GPG validation failed, channel failed >> >> Obviously this is a trust setting, not a gpg failure as I assumed when I >> posted. Which then begs the question of who is untrusted, me, or >> yerp.org? > >Your sa-update run doesn't trust that key to sign releases. Please see >man sa-update [1] for general information about that option, and the >SOUGHT rule-set usage instructions [2] again, on how to use sa-update >with that channel. I note that trusstdb.gpg is only $1200 bytes long, whereas pubring is nearly $5000 long. Wandering around with gpg's querys, that key is indeed not in my database. WTF... > > >[1] http://spamassassin.apache.org/full/3.2.x/doc/sa-update.html That shows a different procedure, what I used started with a wget IIRC. >[2] http://taint.org/2007/08/15/004348a.html This site has the procedure I used. Several times. Replayed again here, using those instructs: [r...@coyote keys]# su gene [g...@coyote keys]$ cd [g...@coyote ~]$ wget http://yerp.org/rules/GPG.KEY --2009-08-19 11:50:03-- http://yerp.org/rules/GPG.KEY Resolving yerp.org... XX.XX.XX.XX Connecting to yerp.org|XX.XX.XX.XX|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2437 (2.4K) [application/pgp-keys] Saving to: `GPG.KEY.1' 100%[===============================================================================================>] 2,437 --.-K/s in 0.007s 2009-08-19 11:50:03 (338 KB/s) - `GPG.KEY.1' saved [2437/2437] Then: [g...@coyote ~]$ sa-update --import GPG.KEY.1 A test run: [g...@coyote ~]$ sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org [g...@coyote ~]$ No reported error. But, back as root: running the su gene -c "gene's crontab line" and get this for yerp: [6455] dbg: channel: attempting channel sought.rules.yerp.org [6455] dbg: channel: update directory /var/lib/spamassassin/3.002005/sought_rules_yerp_org [6455] dbg: channel: channel cf file /var/lib/spamassassin/3.002005/sought_rules_yerp_org.cf [6455] dbg: channel: channel pre file /var/lib/spamassassin/3.002005/sought_rules_yerp_org.pre [6455] dbg: channel: metadata version = 320805296 [6455] dbg: dns: 5.2.3.sought.rules.yerp.org => 320805296, parsed as 320805296 [6455] dbg: channel: current version is 320805296, new version is 320805296, skipping channel I won't post the lengthy full -D output, but it worked with no errors. What is different now than a couple of months ago when I did it the first 3 or 4 times? A head scratcher for sure. And many thanks for the hand holding, its appreciated. But I hate it when the usual winderz advice of re-installing, actually works. Spooky. The Heisenberg principle at work I guess. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) The NRA is offering FREE Associate memberships to anyone who wants them. <https://www.nrahq.org/nrabonus/accept-membership.asp> Remember, in 2039, MOUSSE & PASTA will be available ONLY by prescription!!
