0093-0096.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Maximum RPM (RPM):Using RPM to Verify Package Files:EarthWeb Inc.-</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!-- ISBN=0672311054 //-->
<!-- TITLE=Maximum RPM (RPM)//-->
<!-- AUTHOR=Edward Bailey//-->
<!-- PUBLISHER=Macmillan Computer Publishing//-->
<!-- IMPRINT=Sams//-->
<!-- CHAPTER=07 //-->
<!-- PAGES=0093-0100 //-->
<!-- UNASSIGNED1 //-->
<!-- UNASSIGNED2 //-->




<P><CENTER>
<a href="../ch06/0089-0092.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="0097-0099.html">Next</A>
</CENTER></P>

<A NAME="PAGENUM-93"><P>Page 93</P></A>



<H3><A NAME="ch07_ 1">
Chapter 7
</A></H3>

<H2>

Using RPM to Verify<BR>
Package Files

</H2>


<A NAME="PAGENUM-94"><P>Page 94</P></A>


<P>Table 7.1. Package verification syntax and options.
</P>

<TABLE>

<TR><TD>
rpm -K (or --checksig)
</TD><TD>
Options
</TD><TD>
file1.rpm...fileN.rpm
</TD></TR><TR><TD>
</TD><TD>
Parameters
</TD><TD>
</TD></TR><TR><TD>
file1.rpm...fileN.rpm
</TD><TD>
One or more RPM package files (URLs are usable)
</TD><TD>
</TD></TR><TR><TD>
</TD><TD>
Checksig-Specific Options
</TD><TD>
Section
</TD></TR><TR><TD>
--nopgp
</TD><TD>
Do not verify PGP signatures
</TD><TD>
7.3.5
</TD></TR><TR><TD>
</TD><TD>
General Options
</TD><TD>
Section
</TD></TR><TR><TD>
-v
</TD><TD>
Display additional information
</TD><TD>
7.3.1
</TD></TR><TR><TD>
-vv
</TD><TD>
Display debugging information
</TD><TD>
7.3.6
</TD></TR><TR><TD>
--rcfile &lt;rcfile&gt;
</TD><TD>
Set alternate rpmrc file to
&lt;rcfile&gt;
</TD><TD>
7.3.7
</TD></TR></TABLE>


<H4><A NAME="ch07_ 2">
7.1. rpm -K: What Does It Do?
</A></H4>

<P>One aspect of RPM is that you can get a package from the Internet and easily install it.
But what do you know about that package file? Is the organization listed as being the vendor of
the package really the organization that built it? Did someone make unauthorized changes to
it? Can you trust that, if installed, it won't mail a copy of your password file to a system cracker?
</P>

<P>Features built into RPM allow you to make sure that the package file you've just gotten
won't cause you problems after it's installed, whether the package was corrupted by line noise
when you downloaded it or something more sinister happened to it.
</P>

<P>The command rpm -K (the option --checksig is equivalent) verifies
a package file. Using this command, it is easy to make sure the file has not been changed in any way.
rpm -K can also be used to make sure that the package was actually built by the organization listed as being
the package's vendor. That's all very impressive, but how does it do that? Well, it just needs
help from some &quot;pretty good&quot; software.
</P>

<H4><A NAME="ch07_ 3">
7.1.1. Pretty Good Privacy: RPM's Assistant
</A></H4>

<P>The &quot;pretty good&quot; software we're referring to is known as
pretty good privacy, or PGP. While all the information on PGP could fill a book (or several), we've provided a quick introduction
to help you get started.
</P>

<P>If PGP is new to you, a quick glance through Appendix G, &quot;An Introduction to PGP,&quot;
should get you well on your way to understanding, building, and installing PGP. If, on the other
hand, you've got PGP already installed and have sent an encrypted message or two, you're
probably more than ready to continue with this chapter.
</P>

<A NAME="PAGENUM-95"><P>Page 95</P></A>



<H4><A NAME="ch07_ 4">
7.2. Configuring PGP for rpm -K
</A></H4>

<P>After PGP is properly built and installed, the actual configuration for RPM is trivial.
Here's what needs to be done:
</P>

<OL>
<LI>          PGP must be in your path. If PGP's usage message doesn't come up when you
enter pgp at your shell prompt, you'll need to add PGP's directory to your path.
<LI>         PGP must be able to find the public keyring file that you want to use when
checking package file signatures. You can use two methods to direct PGP to the public keyring:

<UL>
<LI>                    Set the
PGPPATH environment variable to point to the directory containing
the public keyring file.
<LI>                    Set the
pgp_path rpmrc file entry to point to the directory containing the
public keyring file. For more information on rpmrc files,
rpmrc file entries, and how to use them, please see Appendix B, &quot;The
rpmrc File.&quot;
</UL>
</OL>

<P>Now we're ready.
</P>

<H4><A NAME="ch07_ 5">
7.3. Using rpm -K
</A></H4>

<P>After all the preliminaries with PGP, it's time to get down to business. First, we need to get
the package builder's public key and add it to the public keyring file used by RPM. You'll need
to do this once for each package builder whose packages you'll want to check. This is what
you'll need to do:
</P>

<!-- CODE //-->
<PRE>
# pgp -ka RPM-PGP-KEY ./pubring.pgp
Pretty Good Privacy(tm) 2.6.3a - Public-key encryption for the masses.
(c) 1990-96 Philip Zimmermann, Phil's Pretty Good Software. 1996-03-04
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Distributed by the Massachusetts Institute of Technology.
Export of this software may be restricted by the U.S. government.
Current time: 1996/06/01 22:50 GMT

Looking for new keys...
pub 1024/CBA29BF9 1996/02/20 Red Hat Software, Inc. &lt;redhat@redhat.com&gt;

Checking signatures...


Keyfile contains:
1 new key(s)

One or more of the new keys are not fully certified.
Do you want to certify any of these keys yourself (y/N)? n
#
</PRE>
<!-- END CODE //-->

<P>Here we've added Red Hat Software's public key, since we're going to check some
package files produced by them. The file
RPM-PGP-KEY contains the key. At the end, PGP asks
whether
</P>

<A NAME="PAGENUM-96"><P>Page 96</P></A>



<P>we want to certify the new key. We've answered no because it isn't necessary to certify keys to verify package files.
</P>

<P>Next, we'll verify a package file:
</P>

<!-- CODE SNIP //-->
<PRE>
# rpm -K rpm-2.3-1.i386.rpm
rpm-2.3-1.i386.rpm: size pgp md5 OK
#
</PRE>
<!-- END CODE SNIP //-->

<P>While the output might seem somewhat anticlimactic, we can now be nearly 100%
certain that this package was produced by Red Hat Software, Inc., and is unchanged from Red Hat's original copy.
</P>

<P>The output from this command shows that there are actually three distinct features of the
package file that are checked by the -K option:
</P>

<UL>
<LI>          The
size message indicates that the size of the packaged files has not changed.
<LI>          The
pgp message indicates that the digital signature contained in the package file is
a valid signature of the package file contents, and was produced by the organization
that originally signed the package.
<LI>          The
md5 message indicates that a checksum contained in the package file and
calculated when the package was built matches a checksum calculated by RPM
during verification. Because the two checksums match, it is unlikely that the package
has been modified.
</UL>

<P>The OK means that each of these tests was successful. If any had failed, the name would
have been printed in parentheses. A bit later in the chapter, we'll see what happens when there
are verification problems.
</P>

<H4><A NAME="ch07_ 6">
7.3.1. -v: Display Additional Information
</A></H4>

<P>Adding v to a verification command will produce
more interesting output:
</P>

<!-- CODE //-->
<PRE>
# rpm -Kv rpm-2.3-1.i386.rpm
rpm-2.3-1.i386.rpm:
Header+Archive size OK: 278686 bytes
Good signature from user &quot;Red Hat Software, Inc. &lt;redhat@redhat.com&gt;&quot;.
Signature made 1996/12/24 18:37 GMT using 1024-bit key, key ID CBA29BF9
</PRE>
<!-- END CODE //-->


<TABLE BGCOLOR=#FFFF99><TR><TD>WARNING:</TD></TR><TR><TD><BLOCKQUOTE>Because this public key is not certified with a trusted signature,
it is not known with high confidence that this public key actually belongs
to: &quot;Red Hat Software, Inc. &lt;redhat@redhat.com&gt;&quot;.
MD5 sum OK: 8873682c5e036a307dee87d990e75349
#</BLOCKQUOTE></TD></TR></TABLE>

<P>With a bit of digging, we can see that each of the three tests was performed, and each
passed. The reason for that dire-sounding warning is that PGP is meant to operate without a
central authority managing key distribution. PGP certifies keys based on webs of trust. For
example,
</P>

<P><CENTER>
<a href="../ch06/0089-0092.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="0097-0099.html">Next</A>
</CENTER></P>





</td>
</tr>
</table>
<!-- begin footer information -->




</body></html>