On Fri, 07 Apr 2000, Volker Kuhlmann wrote:
Stupid question: when I download an updated rpm for SuSE, how do I check whether it's realy come from SuSE??? It does not seem to be a very reliable way to go. I find that
md5sum -c ~/t/m update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm: FAILED
.... I am getting the same problem. Just downloaded the above file and I get: # md5sum kreatecd-0.3.8b-0.i386.rpm a9ad2ebb07c094d49658efd6b0941c73 kreatecd-0.3.8b-0.i386.rpm This is different to Volker's result:
md5sum update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm ec64fd1187373f48c02922eb71ae2f7a update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm
But also differs from the announcement: 09cbe9a08cf2b0d5d5d0b1963c3edbcd ftp://ftp.s.... So I just downloaded the htdig update for 6.3: # md5sum -b htdig-3.1.5-0.i386.rpm cf847dffc94c759e7fd7c3d1ab54de40 *htdig-3.1.5-0.i386.rpm And the announcement says: 0e302f0ebe4772a3f84ad8390f62c4e8 ftp://ftp.suse.c.... What are Volker and I doing wrong? It makes me feel like a newbie all over again. My md5sum is from an old SuSE CD rpm "textutil-1.22-18" # md5sum --version md5sum (GNU textutils) 1.22
Question: why does SuSE not pgp/gpg sign their rpms?
If I knew how to work md5sum right I would be happy. With pgp I think we have compatibility, licence and US export issues (**is it legal in France to use pgp for signature checking??) The SuSE CDs have pgp version 2.6.2 (as do RedHat CDs I think), but it seems that many suse-security list members use version 5 source release or version 6 binary release. 5 and 6 are not be compatible with my version of rpm, I think. GPG is very young for me to totally trust it, yet. Does it work with rpm? Regards, dproc