On Mon, Mar 10, 2008 at 06:29:50PM +0100, Ralf Ertzinger wrote: > Hi. > > On Mon, 10 Mar 2008 09:20:08 -0800, Jeff Spaleta wrote > > > Any way you can have this tool also test the key signatures of > > packages in the iso? > > This came up in fab concerning hosting externally built isos as part > > of a tiered collection of spins. Is it possible for your tool, or a > > related tool that you can build this week, to verify that the livecd > > contents come from packages signed by the Fedora key (or a specific > > group of keys)? > > What do you gain by doing that? Unless you turn every bit on the iso > around you can not be sure that the packages are not tampered with after > installation. I started looking into this. rpm -V verifies the md5sums of the individual files. Running 'rpm -V' for each rpm on the ccLiveCD-2.0 only turned up a dozen or so pacakges with any changes at all, all of them trivial configuration changes. rpm -V does not, AFAICT, try recreating the original rpm, to compare the gpg signature. For our purposes, I think it would be fair to assume, that if the package is signed, by one of the Fedora keys, and if it's 'rpm -V' output was clean, that it is unchanged. Where 'rpm -V' reports something, or if a package is not signed (such as the cc-home RPM on the above CD), it will require manual review. Now which RPM tag carries the gpg key used to create the signature? If anyone knows, I can probably hack this up pretty easily, next week... Thanks, Matt -- Matt Domsch Linux Technology Strategist, Dell Office of the CTO linux.dell.com & www.dell.com/linux -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
