At 09:44 PM 4/23/01 -0700, John Meshkoff wrote:
>and trying either the above '-K --nopgp' or 'rpm --checksig [pkgname]'
>gives, for example:
>
> kernel-2.2.12-20.i386.rpm: md5 GPG NOT OK
>
>This result is the same for any file, even those on the Red Hat CD
>(which the example is from). It would seem that using the
>'--checksig' option would be the way, but if I comprehend the man page
>on rpm, rpm has to be configured for PGP, and I can't find any
>documentation explaining how to do this. 'apropos PGP' gives "nothing
>apropriate", and there's no man page for PGP. 'locate PGP' gives only:
The problem is both simple and somewhat silly. In order to use checksig you
should be using a version of RPM and gpg (not pgp, gpg is MUCH easier to
setup since it comes as a Redhat RPM) and you must have Redhat's public key
correctly installed. This took me a while to figure out the first time (you
figure they would include a copy of it with the OS, I ended up getting it
from their website, well hidden away at
http://www.redhat.com/about/contact/pgpkey.html). You should have GPG
installed and download the .asc file versions of the keys to some directory
on your system, then run "gpg --import *.asc" as root in that dir. You
should then be able to duplicate the following (as root):
#rpm -K *.rpm
mgetty-1.1.25-5.i386.rpm: md5 gpg OK
mgetty-sendfax-1.1.25-5.i386.rpm: md5 gpg OK
mgetty-viewfax-1.1.25-5.i386.rpm: md5 gpg OK
mgetty-voice-1.1.25-5.i386.rpm: md5 gpg OK
netscape-common-4.77-1.i386.rpm: md5 gpg OK
netscape-communicator-4.77-1.i386.rpm: md5 gpg OK
netscape-navigator-4.77-1.i386.rpm: md5 gpg OK
up2date-2.5.4-1.i386.rpm: md5 gpg OK
up2date-gnome-2.5.4-1.i386.rpm: md5 gpg OK
You can also perform verifications as a non-root user, but then you need to
import the keys into GPG again as that user (keyrings are user-specific).
Once you get this working you should consider running something like:
if find . -type f -name *.rpm -print0 | xargs -0 -n1 rpm -K; then
echo All RPM files are OK.
else
echo Oops, looks like we have some bad RPMs!
fi
If you're operating in a high security environment then you should probably
run all downloaded RPM files through a script that does signature tests and
deletes them if either they have no GPG signature or they are invalid (i.e.
if the portion of the output after the last ":" is anything other than "
md5 gpg OK \n")
A test like
for f in `find . -type f -name \*.rpm`; do
if ! rpm -K $f 2>/dev/null | grep ": md5 gpg OK$" &>/dev/null; then
echo RPM File $f is corrupt or unsigned! ARRRRRRRRGH!
else
echo $f is Ok
fi
done
works well IMHO. Naturally the "echo" statements should be changed, I have
used:
for f in `find . -mtime -48 -type f -name \*.rpm`; do
if ! rpm -K $f 2>/dev/null | grep ": md5 gpg OK$" &>/dev/null; then
echo RPM File $f is BAD!
mv -vf $f /root/unsafe_rpms
fi
done
In a daily cronjob, executing just after the mirror update completed so it
could verify all recently modified RPM files.
--
"I've always wanted to be somebody. Next time I'll be more specific."
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
