Re: [suse-security] Does "kpackage" do a "checksig" ???
Hi List: *On Fri, 31 Jan 2003 20:18 EST, I asked:
Does "kpackage" do a "checksig" ??? I would still like to know.
I explained:
I normally do my "security updates" via YOU; whereas, rpm package upgrades I downloaded from SuSE (or a SuSE mirror) to a (home) download directory and then install via "kpackage."
My question is does anyone know if "kpackage" does a "checksig" on the rpm before installing it?
I know it checks dependencies but should I do:
"rpm --checksig <package name>.rpm"
on each rpm ???
In reply , Andreas Hasenack wrote: Don't forget to add "-v", otherwise you won't know who signed the package, only that it was signed (or not). He is right, but.... My question remains: Does "kpackage" do a "checksig" (i.e. against the suse key ring, MD5) TIA ~Gar -- __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
On Wed, Feb 05, 2003 at 06:40:30PM -0500, GarUlbricht7@netscape.net wrote: [ basically: do I need rpm --checksig -v *.rpm or not ]
My question remains:
Does "kpackage" do a "checksig" (i.e. against the suse key ring, MD5)
TIA
~Gar
I did a brief grep on the source (I do not use this package), which is comming with the suse CDs, and it showed calls to rpmlib verifying the headers, but nothing about signatures. only reference about MD5 sums is when verifying files of installed packages against rpm db. you may want to have a look yourself. to prove: just move all suspective keyrings somewhere else, and see what happens. or do strace the program, and grep there for acess of the keyrings. you won't find any, I guess. this was suse 8.1, kdeadmin3-3.0.3 yes, I know there is a 3.0.4 out with The official KDE 3.0.4 update for SuSE 8.1. M: 2002-10-24 10:01:52 KDE 3.0.4 update [security]) so yes, you have to check the authenticity yourself. or you may use fou4s, next release will be soon :) Lars
participants (2)
-
GarUlbricht7@netscape.net -
Lars Ellenberg