Mailinglist Archive: opensuse-security (191 mails)
| < Previous | Next > |
Re: [suse-security] checking rpm integrity
- From: dproc <dproc@xxxxxxx>
- Date: Fri, 7 Apr 2000 22:33:12 -0400
- Message-id: <20000407223312.A4921@xxxxxxxxxxxxxxx>
On Fri, 07 Apr 2000, Volker Kuhlmann wrote:
> Stupid question: when I download an updated rpm for SuSE, how do I check
> whether it's realy come from SuSE???
> It does not seem to be a very reliable way to go. I find that
>
> > md5sum -c ~/t/m
> update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm: FAILED
.... I am getting the same problem. Just downloaded the
above file and I get:
# md5sum kreatecd-0.3.8b-0.i386.rpm
a9ad2ebb07c094d49658efd6b0941c73 kreatecd-0.3.8b-0.i386.rpm
This is different to Volker's result:
> > md5sum update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm
> ec64fd1187373f48c02922eb71ae2f7a update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm
>
But also differs from the announcement:
09cbe9a08cf2b0d5d5d0b1963c3edbcd ftp://ftp.s....
So I just downloaded the htdig update for 6.3:
# md5sum -b htdig-3.1.5-0.i386.rpm
cf847dffc94c759e7fd7c3d1ab54de40 *htdig-3.1.5-0.i386.rpm
And the announcement says:
0e302f0ebe4772a3f84ad8390f62c4e8 ftp://ftp.suse.c....
What are Volker and I doing wrong? It makes me feel like a
newbie all over again.
My md5sum is from an old SuSE CD rpm "textutil-1.22-18"
# md5sum --version
md5sum (GNU textutils) 1.22
> Question: why does SuSE not pgp/gpg sign their rpms?
If I knew how to work md5sum right I would be happy. With
pgp I think we have compatibility, licence and US export
issues (**is it legal in France to use pgp for signature
checking??) The SuSE CDs have pgp version 2.6.2 (as do
RedHat CDs I think), but it seems that many suse-security
list members use version 5 source release or version 6
binary release. 5 and 6 are not be compatible with my
version of rpm, I think.
GPG is very young for me to totally trust it, yet. Does it
work with rpm?
Regards, dproc
> Stupid question: when I download an updated rpm for SuSE, how do I check
> whether it's realy come from SuSE???
> It does not seem to be a very reliable way to go. I find that
>
> > md5sum -c ~/t/m
> update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm: FAILED
.... I am getting the same problem. Just downloaded the
above file and I get:
# md5sum kreatecd-0.3.8b-0.i386.rpm
a9ad2ebb07c094d49658efd6b0941c73 kreatecd-0.3.8b-0.i386.rpm
This is different to Volker's result:
> > md5sum update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm
> ec64fd1187373f48c02922eb71ae2f7a update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm
>
But also differs from the announcement:
09cbe9a08cf2b0d5d5d0b1963c3edbcd ftp://ftp.s....
So I just downloaded the htdig update for 6.3:
# md5sum -b htdig-3.1.5-0.i386.rpm
cf847dffc94c759e7fd7c3d1ab54de40 *htdig-3.1.5-0.i386.rpm
And the announcement says:
0e302f0ebe4772a3f84ad8390f62c4e8 ftp://ftp.suse.c....
What are Volker and I doing wrong? It makes me feel like a
newbie all over again.
My md5sum is from an old SuSE CD rpm "textutil-1.22-18"
# md5sum --version
md5sum (GNU textutils) 1.22
> Question: why does SuSE not pgp/gpg sign their rpms?
If I knew how to work md5sum right I would be happy. With
pgp I think we have compatibility, licence and US export
issues (**is it legal in France to use pgp for signature
checking??) The SuSE CDs have pgp version 2.6.2 (as do
RedHat CDs I think), but it seems that many suse-security
list members use version 5 source release or version 6
binary release. 5 and 6 are not be compatible with my
version of rpm, I think.
GPG is very young for me to totally trust it, yet. Does it
work with rpm?
Regards, dproc
| < Previous | Next > |