Mailinglist Archive: opensuse-security (191 mails)

< Previous Next >
checking rpm integrity
  • From: Volker Kuhlmann <kuhlmav@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 07 Apr 2000 16:56:20 +1200 (NZST)
  • Message-id: <200004070456.QAA10568@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Stupid question: when I download an updated rpm for SuSE, how do I check
whether it's realy come from SuSE???

There is md5sum - but arrrrrrrrgggggggggg it's tedious!!!

Copy the relevant lines out of the SuSE advisory into a new file, edit
out the "ftp://..."; part at the front, save, run md5sum -c.
That can't be it, can it?

It does not seem to be a very reliable way to go. I find that

> md5sum -c ~/t/m
update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm: FAILED

from

09cbe9a08cf2b0d5d5d0b1963c3edbcd ftp://ftp.suse.com/pub/suse/i386/update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm

> md5sum update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm
ec64fd1187373f48c02922eb71ae2f7a update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm

I know SuSE has published bogus md5 sums before. Has it happen
again? Seems like it. See:

ec64fd1187373f48c02922eb71ae2f7a ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/gpm-1.18.1-45.i386.rpm

out of the gpm advisory.

<HERESY>
When I was still using Red Hat, the whole job for any number of downloaded
rpms was done with "rpm -Kv *.rpm".
</HERESY>

Question: why does SuSE not pgp/gpg sign their rpms? It would be much
more user-friendly as well as less error-prone. Or does it take that
much more effort to organise on SuSE's part?

(This is what I was meaning to gripe about for a while :-( )

Volker

< Previous Next >
This Thread
Follow Ups