I have been working with the python binding for rpm, and as I am sure everyone is aware documentation for rpm on the developer level is a bit, thin. I noticed some documentation updates from Florian a couple of months ago for the RPM bindings, thanks so much. Anyway, what I am looking for is a way to ensure the integrity of rpmdb entries. Essentially I want assurance that the characteristics for a package that is installed can be cryptographically proven to come from a signed upstream source. Now I know I can do this for rpm files themselves, however entries in the DB are a bit hazier. There are hints that this signature checking occur automatically from some sources, but I am still unsure. Methods like hdrCheck look promising but again I am unsure. So essentially what I am aiming to do is to look at a file entry in the rpm db, view the hash, and be able to believe with a high degree of confidence that the hash present for the file entry in the rpm db came from an upstream source, i.e. the entry is signed. Is something like this possible? -Erinn
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxxxxx http://lists.rpm.org/mailman/listinfo/rpm-list
