On Mon, 19 Jan 2004 11:09:33 +0000, Ryan Dimbleby wrote: > Hi, > > I'm trying to install dovecot but want to verify the RPM from the site with the given PGP signature. > > How do I check the RPM with the sig given? You can't. You mix up two different concepts. One is a detached PGP signature. The second one is a signature inside the RPM package file. > > ryan@dellboy => rpm -K dovecot-0.99.10.4-0.rh90.dag.i386.rpm > dovecot-0.99.10.4-0.rh90.dag.i386.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#6b8d79e6) > Above you would get the key with id 6b8d79e6 and import it into your RPM database: rpm --import ascii-armored-keyfile You could then verify that the package is really from a person that has access to the key and that the person who signed the RPM package is trust-worthy enough. You cannot verify anything else. In particular, you cannot verify whether the i386.rpm was built with sources which contain malicious code, such as a trojan-horse. > I have the sig: > > ryan@dellboy => cat dovecot-0.99.10.4.tar.gz.asc This is something completely different. You would need the corresponding dovecot-0.99.10.4.tar.gz archive and then run "gpg" on the signature to verify whether it matches the archive. If you have a signed src.rpm for the dovecot package, you could extract it and then use the tar.gz.asc signature to verify the tar.gz archive within the src.rpm and then rebuild the binary rpm from the src.rpm. ;) -- -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
