SCIENTIFIC-LINUX-USERS Archives

May 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: verifying a (src) rpm
From:
Troy Dawson <[log in to unmask]>
Reply To:
Troy Dawson <[log in to unmask]>
Date:
Wed, 27 May 2009 01:54:59 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (64 lines) 
Ron Rechenmacher wrote:
> Hi,
> I want to install kernel-2.6.18-128.1.10.el5.src.rpm which I can get via:
>     wget ftp://linux.fnal.gov/linux/scientific/53/SRPMS/vendor/\
> kernel-2.6.18-128.1.10.el5.src.rpm
> 
> But before I do an rpm --install, I would like to verify the integrity 
> of the rpm.  How do I do this?
> 
> I've found the following web site:
>     http://rhn.redhat.com/errata/RHSA-2009-0473.html
> which shows:
> SRPMS:
> kernel-2.6.18-128.1.10.el5.src.rpm   5784eab8bcaf859f66d0fc09d37870f8
> 
> and I assume there is some way to see the associated number on my system 
>   if the .src.rpm is valid. The md5sum command produces:
> 
> # md5sum kernel-2.6.18-128.1.10.el5.src.rpm
> e505dd681cf83a06410e86f6301feed8  kernel-2.6.18-128.1.10.el5.src.rpm
> 
> The right number of digits, but the wrong ones.
> 
> I've noticed the rpmsign command, but it produces:
> # rpmsign -K kernel-2.6.18-128.1.10.el5.src.rpm
> kernel-2.6.18-128.1.10.el5.src.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK 
> (MISSING KEYS: GPG#82fd17b2)
> 
> But, maybe I don't know how to use it (it's the first time I have).
> 
> Any help is appreciated.
> 
> BTW, I've also downloaded the same kernel-2.6.18-128.1.10.el5.src.rpm 
> file from other sites and I get consistent, but different md5sums.
> 
> 
> Thanks,
> Ron

Hi Ron,
The md5sum that you get from our src.rpm directories 
ftp://linux.fnal.gov/linux/scientific/53/SRPMS/vendor/
is going to be different than if you download it directly from redhat, 
or someplace that just mirrors them directly
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/

The reason for this is that we sign both our compiled rpm's and our 
sourc rpm's.  RedHat doesn't sign their src.rpm's that they put in their 
public area's.  I believe (but haven't verified) that they do sign the 
rpm's that they put in their rhn area's though.

As for verifing rpm's, I usually use the -K option ... which I believe 
works on src.rpm, but I currently cannot verify that

rpm -K <package>

Troy

-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI DSS Group
__________________________________________________

ATOM RSS1 RSS2