[SOLVED] Verifying downloaded packages

Michael Yep myep at remotelink.com
Fri Jul 1 21:04:18 UTC 2005


Thanks

Paul Howarth wrote:

>On Fri, 2005-07-01 at 14:16 -0500, Michael Yep wrote:
>  
>
>>Hello
>>
>>I installed a rpm on my system that I got off the web. 
>>How can I know if it is a trusted package ?
>>
>>[winston at localhost ~]$ rpm  -vvK compat-libstdc++-296-2.96-132.fc4.i386.rpm
>>D: Expected size:       178657 = lead(96)+sigs(344)+pad(0)+data(178217)
>>D:   Actual size:       178657
>>D: opening  db index       /var/lib/rpm/Packages rdonly mode=0x0
>>D: locked   db index       /var/lib/rpm/Packages
>>D: opening  db index       /var/lib/rpm/Pubkeys rdonly mode=0x0
>>D:  read h#     279 Header sanity check: OK
>>D: ========== DSA pubkey id b44269d0 4f2a6fd2 (h#279)
>>compat-libstdc++-296-2.96-132.fc4.i386.rpm:
>>    Header V3 DSA signature: OK, key ID 4f2a6fd2
>>    Header SHA1 digest: OK (dcd6900d5f8126232eee364b4662fe7e38155377)
>>    MD5 digest: OK (b0580787dce3f1a1bbf9774340d20cf8)
>>    V3 DSA signature: OK, key ID 4f2a6fd2
>>D: closed   db index       /var/lib/rpm/Pubkeys
>>D: closed   db index       /var/lib/rpm/Packages
>>D: May free Score board((nil))
>>[winston at localhost ~]$
>>
>>I forget where I even downloaded it from, but I didn't import anything 
>>to my keyring.
>>What keys come with FC4?
>>    
>>
>
>Look in /etc/pki/rpm-gpg
>
>  
>
>>Which ones are trusted?
>>    
>>
>
>Anything that's in there has presumably been put there as a result of a
>package installation (you could use "rpm -qf /etc/pki/rpm-gpg/filename"
>to see which package a key belongs to) and it should be reasonable for
>you to trust any key provided by a package you've already installed, if
>you're careful as you appear to be about these things.
>
>  
>
>>I understand the the package has the correct checksum, but can I trust 
>>the signer ?
>>    
>>
>
>The key in this case is the RPM-GPG-KEY-fedora one. Decide for
>yourself :-)
>
>Paul.
>  
>

-- 
Michael Yep
Development / Technical Operations
RemoteLink, Inc.
(630) 983-0072 x164 




More information about the fedora-list mailing list