Re: Should Fedora rpms be signed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2004-10-29 at 13:42 -0400, Elliot Lee wrote:
> On Fri, 29 Oct 2004, Nils Philippsen wrote:
> 
> > On Fri, 2004-10-29 at 11:06 -0600, Rodolfo J. Paiz wrote:
> > 
> > > That being said, let me take your points one by one:
> > > 
> > >   1. Replace something that worked well for years. What was the
> > > mechanism previously that let me verify that the updated kernel RPM on
> > > Mirror X was a bit-identical copy of the one actually published by Red
> > > Hat? I know how to verify ISO's but know of nothing that verifies a
> > > package was not tampered with after being placed on a mirror.
> > 
> > This is an old snapshot of Rawhide but serves well nonetheless:
> > 
> > nils@gibraltar:/misc/scratch/rawhide/i386/Fedora/RPMS> rpm -K rpmdb-fedora-1.91-0.20040325.i386.rpm bash-2.05b-38.i386.rpm
> > rpmdb-fedora-1.91-0.20040325.i386.rpm: sha1 md5 OK
> > bash-2.05b-38.i386.rpm: (sha1) dsa sha1 md5 gpg OK
> > 
> > See? I can verify that the bash package is signed with one of the keys I
> > have in the keyring. Granted that I can't see (here) which key it was
> > signed with
> 
> Actually, you can, using 'rpm -Kv'. :-)

Deep inside I knew you could ;-).

Nils
-- 
     Nils Philippsen    /    Red Hat    /    nphilipp@xxxxxxxxxx
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."     -- B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]