Hi Charles, By the way - on this subject, would you know of any good books or on line publications what would cover both the theory and include a step by step guide of verifying an entire server's data integrity using MD5? Mike suggested a book called "Hack Proofing Linux" which I have on order, however that one is a few years old and I'm running RH 8 and was wondering if there is anything more current or coveres RH8 and MD5 Thanks again. -----Original Message----- From: psyche-list-admin@xxxxxxxxxx [mailto:psyche-list-admin@xxxxxxxxxx]On Behalf Of Charles Curley Sent: Monday, September 29, 2003 10:33 AM To: psyche-list@xxxxxxxxxx Subject: Re: MD5 checksum server OS check On Sat, Sep 27, 2003 at 10:39:42AM -0400, help@xxxxxxxxxxx wrote: > Hi Charles, > > OK the gpg key and the MD5SUM file, do I download these from the RH site, > or do they already come on my RH 8 distribution disks? WHere on disk or > site would they be located? Or is the MD5SUM file the actual file that > I am testing against the distribution disks? In future, please reply below the text to which you are responding. It is easier to read, so a courtesy to your readers. You get the md5 sums in the file MD5SUMS, which is in the same direcotry from which you FTP the ISO images of the CD-ROMs. See http://www.redhat.com/download/howto_download.html for details. The file MD5SUMS is signed; that key is in the root directory of each CD, and after installation it is in multiple files on the computer. See, e.g.: /usr/share/doc/redhat-release-8.0/RPM-GPG-KEY. > > I read at http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html that MD5 > is a more reliable way to test data integrity, if I do MD5 checks is > a checksum test redundant? Yes. Md5sums are checksums takes with a specific algorithm so that the program operates identically regarless of processor and other issues. > > > > >Depends on how you want to do it. First, import Red Hat's gpg key > >(preferred), or add the appropriate command line switch to the rpm > >call below to disable gpg key checking. Then get the MD5SUM file and > >verify its gpg signature: > > > >gpg --verify MD5SUM > > > >Then checksum the image(s): > > > >md5sum <path> > > > >where <path> may be your CD-ROM device, such as /mnt/cdrom. > > > >e.g, for severn: > > > >cat MD5SUM ; md5sum severn-i386-disc*.iso > > > > > >You should also check individual packages, e.g.: > > > >find <path> -iname "*.rpm" -exec rpm -K {} \; | grep NOT > > > >where silence implies acceptance. > > > -- > Psyche-list mailing list > Psyche-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/psyche-list -- Charles Curley /"\ ASCII Ribbon Campaign Looking for fine software \ / Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com / \ No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB -- Psyche-list mailing list Psyche-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/psyche-list
