checking rpm integrity
Stupid question: when I download an updated rpm for SuSE, how do I check whether it's realy come from SuSE??? There is md5sum - but arrrrrrrrgggggggggg it's tedious!!! Copy the relevant lines out of the SuSE advisory into a new file, edit out the "ftp://..." part at the front, save, run md5sum -c. That can't be it, can it? It does not seem to be a very reliable way to go. I find that
md5sum -c ~/t/m update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm: FAILED
from 09cbe9a08cf2b0d5d5d0b1963c3edbcd ftp://ftp.suse.com/pub/suse/i386/update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm
md5sum update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm ec64fd1187373f48c02922eb71ae2f7a update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm
I know SuSE has published bogus md5 sums before. Has it happen again? Seems like it. See: ec64fd1187373f48c02922eb71ae2f7a ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/gpm-1.18.1-45.i386.rpm out of the gpm advisory. <HERESY> When I was still using Red Hat, the whole job for any number of downloaded rpms was done with "rpm -Kv *.rpm". </HERESY> Question: why does SuSE not pgp/gpg sign their rpms? It would be much more user-friendly as well as less error-prone. Or does it take that much more effort to organise on SuSE's part? (This is what I was meaning to gripe about for a while :-( ) Volker
On Fri, 07 Apr 2000, Volker Kuhlmann wrote:
Stupid question: when I download an updated rpm for SuSE, how do I check whether it's realy come from SuSE??? It does not seem to be a very reliable way to go. I find that
md5sum -c ~/t/m update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm: FAILED
.... I am getting the same problem. Just downloaded the above file and I get: # md5sum kreatecd-0.3.8b-0.i386.rpm a9ad2ebb07c094d49658efd6b0941c73 kreatecd-0.3.8b-0.i386.rpm This is different to Volker's result:
md5sum update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm ec64fd1187373f48c02922eb71ae2f7a update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm
But also differs from the announcement: 09cbe9a08cf2b0d5d5d0b1963c3edbcd ftp://ftp.s.... So I just downloaded the htdig update for 6.3: # md5sum -b htdig-3.1.5-0.i386.rpm cf847dffc94c759e7fd7c3d1ab54de40 *htdig-3.1.5-0.i386.rpm And the announcement says: 0e302f0ebe4772a3f84ad8390f62c4e8 ftp://ftp.suse.c.... What are Volker and I doing wrong? It makes me feel like a newbie all over again. My md5sum is from an old SuSE CD rpm "textutil-1.22-18" # md5sum --version md5sum (GNU textutils) 1.22
Question: why does SuSE not pgp/gpg sign their rpms?
If I knew how to work md5sum right I would be happy. With pgp I think we have compatibility, licence and US export issues (**is it legal in France to use pgp for signature checking??) The SuSE CDs have pgp version 2.6.2 (as do RedHat CDs I think), but it seems that many suse-security list members use version 5 source release or version 6 binary release. 5 and 6 are not be compatible with my version of rpm, I think. GPG is very young for me to totally trust it, yet. Does it work with rpm? Regards, dproc
participants (2)
-
dproc -
Volker Kuhlmann