Today when I went out to check our server (running CentOS 5), it shows that there is an update for the Webmin 1.360 via the Virtualmin. When telling it to update, it fails. I then did an SSL over to the server and initiate "yum update", I get "Public key for webmin-1.360-1.noarch.rpm is not installed"
I do up a new load for CentOS on the backup equipment, install the current updates, and initiate the current install.sh that is for download. It fails with "Public key for webmin-1.360-1.noarch.rpm is not installed".
To update, you might get by if you set gpgcheck in /etc/yum.repos.d/virtualmin.repo under the universal heading (last line) to 0. That way it doesn’t check the gpg keys for the webmin package.
I think the same can be done for installing, just need to rename the virtualmin.repo.rpmsave to virtualmin.repo and make the same adjustment. Then re-run install.sh.
Of course, its also possible that the webmin rpm on the virutalmin repo is hacked and we really shouldn’t install it. The signature is there for a reason, after all
I started resigning the Webmin and Usermin packages as of yesterday, for Mandriva users (urpmi only supports one key per repository). This ordinarily wouldn’t be a problem, but the Webmin and Usermin RPMs are built with a very old version of RPM in order to insure maximal compatibility across nearly all RPM-based distributions…and the signing stuff is broken for 3.x built packages on 4.x. And I only have 4.x versions of RPM here.