SCIENTIFIC-LINUX-USERS Archives

September 2012

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: How can I check authenticity of source rpms?
From:
Müller-Reineke, Matthias <[log in to unmask]>
Reply To:
Müller-Reineke, Matthias <[log in to unmask]>
Date:
Tue, 25 Sep 2012 16:02:38 +0000
Content-Type:
text/plain
Parts/Attachments:
text/plain (1 lines) 
Volker wrote:

> On Tue, 2012-09-25 at 09:50 +0000, Müller-Reineke, Matthias wrote:

> > What is missing?



> The public key of the repository. Import it using rpm --import.



I've copied the file to a TUV system. It can be checked there:



~/> rpm --checksig -v tomcat6-6.0.24-45.el6.src.rpm              

tomcat6-6.0.24-45.el6.src.rpm:

    Header V3 RSA/SHA256 Signature, key ID fd431d51: OK

    Header SHA1 digest: OK (906acdd5cf193699ef3028d438b12edf7c934d47)

    V3 RSA/SHA256 Signature, key ID fd431d51: OK

    MD5 digest: OK (7ec8af89e12e5ba43ee1a97e848e75a4)





http://blog.andreas-haerter.com/2012/03/06/rpm-yum-gpg-key-verification-import-deletion-package-signature-check-cheat-sheet

made me discover packages on the TUV system which contain TUVs public keys. Actually the description of these packages contains the ascii armored keys. Inserting the right one into a disk file and importing it (rpm --import) makes it possible to validate the source rpm on a Scientific Linux 6 system.



Why are these public keys not included into Scientific Linux 6?

Is it prohibited by TUV (from rpm -qi: License: pubkey)?





Matthias

ATOM RSS1 RSS2