Le lun 11/08/2003 à 23:14, Florin Andrei a écrit : > On Mon, 2003-08-11 at 14:02, Geoff Reedy wrote: > > On Mon, Aug 11, 2003 at 01:42:32PM -0700, Florin Andrei <florin sgi com> said > > > "Hewlett-Packard, IBM, RSA Security, InstallShield Software, and Sun > > > Microsystems are also involved in the File Signature Database (FSDB) > > > effort. The repository will store metadata about individual files > > > created by each of the vendors, such as the file's name, a ¡born-on¢ > > > date and its digital hash values." > > > > > > Any plans to do that with Red Hat as well? > > > > This sounds a lot like what can already be done with a command like rpm -Va. > > Yes and no. > > Yes, it's the same idea. > > No, because with FSDB the signatures will be stored somewhere else, on a > trusted site, not on the system itself (not even on the owner's > network). Hence, even if your entire network gets compromised (unlikely, > but still...) you still have a trusted signature database to compare > with. Authenticate the package : # rpm --checksig http://updates.redhat.com/9/en/os/i386/eog-2.2.0-2.i386.rpm http://updates.redhat.com/9/en/os/i386/eog-2.2.0-2.i386.rpm: (sha1) dsa sha1 md5 gpg OK Check the installation again the trusted package : # rpm -V -p http://updates.redhat.com/9/en/os/i386/eog-2.2.0-2.i386.rpm If the gpg key is not imported or the package have a bad signature : # rpm --checksig apt-0.5.5cnc6-fr1.i386.rpm apt-0.5.5cnc6-fr1.i386.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#e42d547b) -- Féliciano Matias <feliciano matias free fr>
Attachment:
signature.asc
Description: Ceci est une partie de message=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=