Sam Varshavchik wrote:
Bernd Bartmann writes:
Why is it not possible to automatically sent out the announcement
after the rpms are signed and the MD5 sums are known?
Is it possible to trigger an email to the packager after the package
is signed? Something like a reminder "package is ready for
distribution, please sent out an announcement".
Why even care about MD5 sums? As long as the signature verifies OK
that's all you need to know. The signature is really just another sum
of the file's contents, that's encrypted by the private key.
afair not all packages are signed, eg. testing, development, ...
the md5sum will tell if the package was modified.
eg. hexedit a signed package.
# cp logwatch-5.2.2-1.FC3.1.noarch.rpm
logwatch-5.2.2-1.FC3.1.noarch-hexedit.rpm
# md5sum logwatch-5.2.2-1.FC3.1.noarch*
a00bb258185c048fa179a8c015efdab7 logwatch-5.2.2-1.FC3.1.noarch-hexedit.rpm
a00bb258185c048fa179a8c015efdab7 logwatch-5.2.2-1.FC3.1.noarch.rpm
# hexedit logwatch-5.2.2-1.FC3.1.noarch-hexedit.rpm
[...]
# md5sum logwatch-5.2.2-1.FC3.1.noarch*
307dbab2caa82e62740c1849a30fe7a1 logwatch-5.2.2-1.FC3.1.noarch-hexedit.rpm
a00bb258185c048fa179a8c015efdab7 logwatch-5.2.2-1.FC3.1.noarch.rpm
# rpm -Uvh --test logwatch-5.2.2-1.FC3.1.noarch.rpm
Preparing... ###########################################
[100%]
package logwatch-5.2.2-1.FC3.1 is already installed
# rpm -Uvh --test logwatch-5.2.2-1.FC3.1.noarch-hexedit.rpm
Preparing... ###########################################
[100%]
package logwatch-5.2.2-1.FC3.1 is already installed
# hexedit logwatch-5.2.2-1.FC3.1.noarch-hexedit.rpm
[...]
# md5sum logwatch-5.2.2-1.FC3.1.noarch*
3a9badb69d9047f9205412db801e1c70 logwatch-5.2.2-1.FC3.1.noarch-hexedit.rpm
a00bb258185c048fa179a8c015efdab7 logwatch-5.2.2-1.FC3.1.noarch.rpm
# rpm -Uvh --test logwatch-5.2.2-1.FC3.1.noarch-hexedit.rpm Fehler:
logwatch-5.2.2-1.FC3.1.noarch-hexedit.rpm: V3 DSA signature: BAD, key ID
4f2a6fd2
Fehler: logwatch-5.2.2-1.FC3.1.noarch-hexedit.rpm cannot be installed
--
shrek-m