Hi Everybody! Please, can somebody tell me how to verify a md5 checksum? I read the rpm manpage and it says something about md5 checksums there, but I don't know how to pass a given checksum to rpm. In the manpage it says something about a database, but surely the checksum of an update-package wouldn't be in a database, would it? If it were, it wouldn't be provided along with the package now, would it? Thanks in advance, Till Rotter
On Fri, 11 Feb 2000, Till Rotter wrote:
Hi Everybody!
Please, can somebody tell me how to verify a md5 checksum?
I read the rpm manpage and it says something about md5 checksums there, but I don't know how to pass a given checksum to rpm. In the manpage it says something about a database, but surely the checksum of an update-package wouldn't be in a database, would it? If it were, it wouldn't be provided along with the package now, would it?
Your SuSE Linux should come with a programm /usr/bin/md5sum, provided you have installed textutil.rpm (that's where md5sum is packaged in SuSE 6.1). You can verify md5 checksums by issueing the command "md5sum whatever-package.rpm" The output will look like 6171c3ebb14dabc5bf38c9ccd4c564ad whatever-package.rpm You can then compare the computed checksum with the one given in the security announcement. If you're lucky enough, they will match. If not, there might just be something wrong with the announcement (hint, SuSE Team ... ;-) or something serious is happening here, i.e. you may have downloaded a Trojan horse. Of course, then it is not recommended to install the downloaded package ... ;-) To your other questions: rpm can verify md5 checksums of the contents of already installed packages, file by file. This is probably not what you want right now (though it may help you in case an intruder has cracked your machine, provided the rpm database can still be trusted - and then Tripwire is better anyway). Bye, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster, Germany Please sign the Linux Driver Petition on http://www.libranet.com/petition.html
Till Rotter wrote:
Hi Everybody!
Please, can somebody tell me how to verify a md5 checksum?
Hi, You have a few options: Look in /usr/bin for a binary named md5sum - if you have it, type "md5sum --help" in an xterm or from the command line (don't type in the quotes) and it will spit out a list of instructions for you to follow. If you don't have it, it is certainly available from SuSE's ftp site and your SuSE CDROM set. You can also use "gpg --print-md MD5 filename" (again, don't type in the quotes). You can also probably use pgp - though I don't know the exact switches for pgp. For gpg and pgp, you must (obviously) have one or the other installed before you can use them. Does anybody else have another way to check them? John
Hi...
I read the rpm manpage and it says something about md5 checksums there, but I don't know how to pass a given checksum to rpm. In the manpage it says something about a database, but surely the checksum of an update-package wouldn't be in a database, would it?
How to check the md5 checksum of a rpm packages before installing it was written here before. But what is provided by rpm, what you maybe found in the man- page ist the check of already installed packages. In the rpm- database are the original md5 checksums of the installed files stored. Now you can compare this to the actual files with rpm --verify <packagename> So you can see, if some files are modified since installation. You can do this for all installed packages with something like: for i in `rpm -qa`; do rpm --verify $i; done But better install the package seccheck from Marc Heuse, this will do these checks for you regularly. stephan ____________________________________________________________ | .~. s.martin@odn.de | | /V\ fon +49(0)911.2256 03 | | /( )\ fax +49(0)911.2256 06 | | ^`~'^ mobile +49(0)173.380 43 12 | |___________________________________________________________|
participants (4)
-
John Pinder -
Martin Leweling -
Stephan Martin -
Till Rotter