Centos rpm/yum/repository gpg issues

[longer]

Hi,
I have 'client' in Centos 5.6 where I want to install rpm packages with:

Code:

yum install package

from repository which I created on 'server' ( Centos 6.0 ). I would like packages to be signed, but I get some errors while trying to get things right:
firstly I had:

Code:

rpmts_HdrFromFdno: Header V4 RSA/SHA1 signature: BAD, key ID ebb3d90e

even if I have imported my public key to client which was present in rpm keys. It was listed by running:

Code:

rpm -q gpg-pubkey
gpg-pubkey-e8562897-459f07a4
gpg-pubkey-217521f6-45e8a532
gpg-pubkey-ebb3d90e-4ee5e6e8

I deleted the signes with:

Code:

rpm --delsign <package>

and wanted to check if then package will be installed but I continously got:

Code:

[Errno -1] Package does not match intended download

with or without singing the packages:

Code:

rpm -K *.rpm
<package1>-1.0-1.i386.rpm: sha1 md5 OK
<package2>-0.1-1.noarch.rpm: sha1 md5 OK
<package3>-0.1-1.i386.rpm: sha1 md5 OK
<package4>-3.6.5-1.i386.rpm: sha1 md5 OK

I found that this error might be solved by:

Code:

yum clean all

which cleans yum cache, which might be a problem, but in this case it didn't help.

I created repository with:

Code:

createrepo -s sha1 <dir>

because without sha1 I had an problem with adding my repository to yum repo list:

Code:

[Errno -3] Error performing checksum

Packages were created on client and were signed on server.

On client my repository configuration file /etc/yum.repos.d/my-repo.repo looks like this:

Code:

[myrepo]
name=myrepo
baseurl=h-t-t-p-s:-/-/login:pass'at'address.to.my.repo
enabled=1
gpgcheck=1
gpgkey=h-t-t-p-s:-/-/login:pass'at'address.to.my.repo/MY-GPG-KEY
protect=1

Sorry for '-' and 'at' in addresses but in this forum I am currently not allowed to post urls.

Any suggestions would be appreciated.
If I must learn something - all links to tutorials/guides/documentations will be also very helpful.
I spend a lot of time trying to solve this issue and many forums (I have also checked this one) and google didn't help me.

[Roxoff]

I'm not very familiar with this, but it's been a day and nobody else has been able to help yet.

I thought (and I could be wrong) that the binary rpm packages were signed at creation time, i.e. you need the packager's public key to check they are signed correctly. Have you tried with the public key of the original CentOS repo that you're copying from?

[longer]

Thank you for replying.
As far as I know rpms are not signed during creation if I didn't explicitly want them to be signed. In the meantime I managed to make things right, but sadly without cryptography.
I discovered that:

Code:

yum clean all

doesn't really clean metadata, so I must have deleted signs of rpms on server and do:

Code:

yum clean metadata

on client.

I will try create and sign packages at the same time on server then.