On Wed, 2006-06-14 at 17:33 -0700, karl@xxxxxxxxxxxxxx wrote:
> Thanks to everyone who responded earlier with locations of the RPM bits.
> In thanks, here's a step-by-step of how I got things working. 6 minute
> response by two separate people shows this is a thriving community. rad.
>
> This how-to covers my current method for installing Tripwire 2.3 on our
> CentOS servers. It's working great,<snip>
> (would be nice to have an MD5 checksum to verify this package is secure)
Hope I'm not wasting your time here. I thought GPG signing was
sufficient for this stuff!?
I'm new at this stuff,but from "man yum.conf" there is this
gpgcheck
Either ‘1’ or ‘0’. This tells yum whether or not it should per-
form a GPG signature check on packages. When this is set in the
[main] section it sets the default for all repositories. This
option also determines whether or not an install of a package
from a local RPM file will be GPG signature checked. The
default is ‘0’.
In my yum.repos.d repo files, I have it enabled. Would this not
satisfactorily accomplish what is needed? I presume you can run it
manually if not using yum.
I always use yum to do basic installs, but as stated, I'm pretty new to
this stuff. Still spend an inordinate amount of time in mans, howtos,
etc. <*sigh*>
>
>
> 2. Install the Tripwire RPM:
> rpm -ivh tripwire-2.3.1-21.i386.rpm
Out of curiosity, I perused (lightly) "man rpm". Since it permits
signing, I presume that it also depends on GPG for verification (along
with other checks embedded in the processes?). From that I generated and
ran this little script
for N in $(rpm -qa gpg-pubkey*|sed -e 's/\.(none)//') ; do
rpm -qi $N |less
done
to see if Karan had a key that I had imported.
It revealed several instances of GPG signatures with this summary
gpg(Karanbir Singh (http://www.karan.org/) <kbsingh@xxxxxxxxx>)
There must certainly have been instructions on either CentOS or
Karanbir's site as I would not have enough knowledge of my own to get
these set up... well maybe imported while using mail. That's possible.
Ah! But I recall now when I first started I got failures because I had
*not* imported keys (although I *thought* I had) for one of the
repositories. I think that confirms that GPG does suffice for
validation. Doesn't it?
Anyway, I haven't reviewed the web sites for a long time, but I suspect
the files are signed and I suspect that should meet the need. And I
suspect that you need to do an rpm import of the keys? Instructions and
keys are on the sites, IIRC.
Something I'm missing, being ignorant and new and shameless about it?
Anyway, here, all the repos had keys except atrpm, which I have not
used, so I would not have done the rpm import yet for that.
> <snip>
> -karlski
> <snip sig stuff>
Hope I wasn't wasting your time.
--
Bill
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
