Verifying downloaded packages

Michael Yep myep at remotelink.com
Fri Jul 1 19:16:35 UTC 2005


Hello

I installed a rpm on my system that I got off the web. 
How can I know if it is a trusted package ?

[winston at localhost ~]$ rpm  -vvK compat-libstdc++-296-2.96-132.fc4.i386.rpm
D: Expected size:       178657 = lead(96)+sigs(344)+pad(0)+data(178217)
D:   Actual size:       178657
D: opening  db index       /var/lib/rpm/Packages rdonly mode=0x0
D: locked   db index       /var/lib/rpm/Packages
D: opening  db index       /var/lib/rpm/Pubkeys rdonly mode=0x0
D:  read h#     279 Header sanity check: OK
D: ========== DSA pubkey id b44269d0 4f2a6fd2 (h#279)
compat-libstdc++-296-2.96-132.fc4.i386.rpm:
    Header V3 DSA signature: OK, key ID 4f2a6fd2
    Header SHA1 digest: OK (dcd6900d5f8126232eee364b4662fe7e38155377)
    MD5 digest: OK (b0580787dce3f1a1bbf9774340d20cf8)
    V3 DSA signature: OK, key ID 4f2a6fd2
D: closed   db index       /var/lib/rpm/Pubkeys
D: closed   db index       /var/lib/rpm/Packages
D: May free Score board((nil))
[winston at localhost ~]$

I forget where I even downloaded it from, but I didn't import anything 
to my keyring.
What keys come with FC4?  Which ones are trusted?

I understand the the package has the correct checksum, but can I trust 
the signer ?

-- 
Michael Yep
Development / Technical Operations
RemoteLink, Inc.
(630) 983-0072 x164 




More information about the fedora-list mailing list