Verifying downloaded packages
Paul Howarth
paul at city-fan.org
Fri Jul 1 20:50:06 UTC 2005
On Fri, 2005-07-01 at 14:16 -0500, Michael Yep wrote:
> Hello
>
> I installed a rpm on my system that I got off the web.
> How can I know if it is a trusted package ?
>
> [winston at localhost ~]$ rpm -vvK compat-libstdc++-296-2.96-132.fc4.i386.rpm
> D: Expected size: 178657 = lead(96)+sigs(344)+pad(0)+data(178217)
> D: Actual size: 178657
> D: opening db index /var/lib/rpm/Packages rdonly mode=0x0
> D: locked db index /var/lib/rpm/Packages
> D: opening db index /var/lib/rpm/Pubkeys rdonly mode=0x0
> D: read h# 279 Header sanity check: OK
> D: ========== DSA pubkey id b44269d0 4f2a6fd2 (h#279)
> compat-libstdc++-296-2.96-132.fc4.i386.rpm:
> Header V3 DSA signature: OK, key ID 4f2a6fd2
> Header SHA1 digest: OK (dcd6900d5f8126232eee364b4662fe7e38155377)
> MD5 digest: OK (b0580787dce3f1a1bbf9774340d20cf8)
> V3 DSA signature: OK, key ID 4f2a6fd2
> D: closed db index /var/lib/rpm/Pubkeys
> D: closed db index /var/lib/rpm/Packages
> D: May free Score board((nil))
> [winston at localhost ~]$
>
> I forget where I even downloaded it from, but I didn't import anything
> to my keyring.
> What keys come with FC4?
Look in /etc/pki/rpm-gpg
> Which ones are trusted?
Anything that's in there has presumably been put there as a result of a
package installation (you could use "rpm -qf /etc/pki/rpm-gpg/filename"
to see which package a key belongs to) and it should be reasonable for
you to trust any key provided by a package you've already installed, if
you're careful as you appear to be about these things.
> I understand the the package has the correct checksum, but can I trust
> the signer ?
The key in this case is the RPM-GPG-KEY-fedora one. Decide for
yourself :-)
Paul.
--
Paul Howarth <paul at city-fan.org>
More information about the fedora-list
mailing list