0097-0099.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Maximum RPM (RPM):Using RPM to Verify Package Files:EarthWeb Inc.-</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!-- ISBN=0672311054 //-->
<!-- TITLE=Maximum RPM (RPM)//-->
<!-- AUTHOR=Edward Bailey//-->
<!-- PUBLISHER=Macmillan Computer Publishing//-->
<!-- IMPRINT=Sams//-->
<!-- CHAPTER=07 //-->
<!-- PAGES=0093-0100 //-->
<!-- UNASSIGNED1 //-->
<!-- UNASSIGNED2 //-->




<P><CENTER>
<a href="0093-0096.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="0100-0100.html">Next</A>
</CENTER></P>

<A NAME="PAGENUM-97"><P>Page 97</P></A>

<P>if an acquaintance of yours creates a public key, you can certify it by attaching your
digital signature to it. Then anyone who knows and trusts you can also trust your
acquaintance's public key.
</P>

<P>In this case, the key came directly from a mass-produced Red Hat Linux CD-ROM. If
someone were trying to masquerade as Red Hat Software, Inc., then he'd have certainly gone
through a lot of trouble to do so. In this case, the lack of a certified public key is not a major
problem, given the fact that the CD-ROM came directly from the Red Hat Software offices.
</P>
<P>

<CENTER>
<TABLE BGCOLOR="#FFFF99">
<TR><TD><B>
NOTE
</B></TD></TR>
<TR><TD>
<BLOCKQUOTE>
Red Hat Software's public key is also available from its Web site at
<a href="http://www.redhat.com/redhat/contact.html.">
http://www.redhat.com/redhat/contact.html.</A> The RPM sources also contain the
key and are available from their FTP site at ftp://ftp.redhat.com/pub/redhat/
code/rpm.
</BLOCKQUOTE></TD></TR>
</TABLE></CENTER>
</P>
<H4><A NAME="ch07_ 7">
7.3.2. When the Package Is Not Signed
</A></H4>

<P>As mentioned earlier, not every package you'll run across is going to be signed. If this is
the case, here's what you'll see from RPM:
</P>

<!-- CODE SNIP //-->
<PRE>
# rpm -K bother-3.5-1.i386.rpm
bother-3.5-1.i386.rpm: size md5 OK
#
</PRE>
<!-- END CODE SNIP //-->

<P>Note the lack of a pgp message. The size and
md5 messages indicate that the package still has size and checksum information that verified properly. In fact, all recently produced
package files will have these verification measures built in automatically.
</P>

<P>If you happen to run across an older unsigned package, you'll know it right away:
</P>

<!-- CODE SNIP //-->
<PRE>
# rpm -K apmd-2.4-1.i386.rpm
apmd-2.4-1.i386.rpm: No signature available
#
</PRE>
<!-- END CODE SNIP //-->

<P>Older package files had only a PGP-based signature; if that were missing, there would be nothing left to verify.
</P>

<H4><A NAME="ch07_ 8">
7.3.3. When You Are Missing the Correct Public Key
</A></H4>

<P>If you happen to forget to add the correct public key to RPM's keyring, you'll see the
following response:
</P>

<!-- CODE SNIP //-->
<PRE>
# rpm -K rpm-2.3-1.i386.rpm
rpm-2.3-1.i386.rpm: size (PGP) md5 OK (MISSING KEYS)
#
</PRE>
<!-- END CODE SNIP //-->


<A NAME="PAGENUM-98"><P>Page 98</P></A>


<P>Here the PGP in parentheses indicates that there's a problem with the signature, and the
message at the end of the line (MISSING KEYS) shows what the problem is. Basically, RPM
asked PGP to verify the package against a key that PGP didn't have, and PGP complained.
</P>

<H4><A NAME="ch07_ 9">
7.3.4. When a Package Just Doesn't Verify
</A></H4>

<P>Eventually it's going to happen: You go to verify a package, and it fails. We'll look at an
example of a package that fails verification a bit later. Before we do that, let's make a package
that won't verify in order to demonstrate how sensitive RPM's verification is.
</P>

<P>First, we made a copy of a signed package,
rpm-2.3-1.i386.rpm. We called the copy
rpm-2.3-1.i386-bogus.rpm. Next, using Emacs (in hexl-mode, for all you Emacs buffs), we changed
the first letter of the name of the system that built the original package. The file
rpm-2.3-1.i386-bogus.rpm is now truly bogus: It has been changed from the original file.
</P>

<P>Although the change was a small one, it still showed up when the package file was
queried. Here's a listing from the original package:
</P>

<!-- CODE //-->
<PRE>
# rpm -qip rpm-2.3-1.i386.rpm
Name        : rpm                  Distribution: Red Hat Linux Vanderbilt
Version     : 2.3                        Vendor: Red Hat Software
Release     : 1                      Build Date: Tue Dec 24 09:07:59 1996
Install date: (none)                 Build Host: porky.redhat.com
Group       : Utilities/System       Source RPM: rpm-2.3-1.src.rpm
Size        : 631157
Summary     : Red Hat Package Manager
Description :
RPM is a powerful package manager, which can be used to build, install,
query, verify, update, and uninstall individual software packages. A
package consists of an archive of files, and package information, including
name, version, and description.
#
</PRE>
<!-- END CODE //-->

<P>And here's the same listing from the bogus package file:
</P>

<!-- CODE //-->
<PRE>
# rpm -qip rpm-2.3-1.i386-bogus.rpm
Name        : rpm                   Distribution: Red Hat Linux Vanderbilt
Version     : 2.3                         Vendor: Red Hat Software
Release     : 1                       Build Date: Tue Dec 24 09:07:59 1996
Install date: (none)                  Build Host: qorky.redhat.com
Group       : Utilities/System        Source RPM: rpm-2.3-1.src.rpm
Size        : 631157
Summary     : Red Hat Package Manager
Description :
RPM is a powerful package manager, which can be used to build, install,
query, verify, update, and uninstall individual software packages. A
package consists of an archive of files, and package information, including
name, version, and description.
#
</PRE>
<!-- END CODE //-->

<A NAME="PAGENUM-99"><P>Page 99</P></A>


<P>Notice that the build hostname changed from
porky.redhat.com to qorky.redhat.com. Using the
cmp utility to compare the two files, we find that the difference occurs at byte 1201,
which changed from p (octal 160), to q (octal 161):
</P>

<!-- CODE SNIP //-->
<PRE>
# cmp -cl rpm-2.3-1.i386.rpm rpm-2.3-1.i386-bogus.rpm
  1201 160 p    161 q
#
</PRE>
<!-- END CODE SNIP //-->

<P>People versed in octal numbers will note that only one bit has been changed in the entire
file. That's the smallest possible change you can make! Let's see how our bogus friend fares:
</P>

<!-- CODE SNIP //-->
<PRE>
# rpm -K rpm-2.3-1.i386-bogus.rpm
rpm-2.3-1.i386-bogus.rpm: size PGP MD5 NOT OK
#
</PRE>
<!-- END CODE SNIP //-->

<P>Given that the command's output ends with NOT
OK in big capital letters, it's obvious there's a problem. Since the word size was printed in lowercase, the bogus package's size was okay,
which makes sense: We only changed the value of one bit, without adding or subtracting
anything else.
</P>

<P>However, the PGP signature, printed in uppercase, didn't verify. This makes sense, too.
The package that was signed by Red Hat Software has been changed. The fact that the
package's MD5 checksum also failed to verify provides further evidence that the bogus package is
just that: bogus.
</P>

<H4><A NAME="ch07_ 10">
7.3.5. --nopgp: Do Not Verify Any PGP Signatures
</A></H4>

<P>Perhaps you want to be able to verify packages but, for one reason or another, you cannot
use PGP. Maybe you don't have a trustworthy source of the necessary public keys, or maybe
it's illegal to possess encryption (like PGP) software in your country. Is it still possible to
verify packages?
</P>

<P>Certainly. In fact, we've already done it, in section 7.3.3. You lose the ability to verify
the package's origins, as well as some level of confidence in the package's integrity, but the size
and MD5 checksums still give some measure of assurance as to the package's state.
</P>

<P>Of course, when PGP can't be used, the output from a verification always looks like
something's wrong:
</P>

<!-- CODE SNIP //-->
<PRE>
# rpm -K rpm-2.3-1.i386.rpm
rpm-2.3-1.i386.rpm: size (PGP) md5 OK (MISSING KEYS)
#
</PRE>
<!-- END CODE SNIP //-->

<P>The --nopgp option directs RPM to ignore PGP entirely. If we use the
--nopgp option on the preceding example, we find that things look a whole lot better:
</P>

<!-- CODE SNIP //-->
<PRE>
# rpm -K --nopgp rpm-2.3-1.i386.rpm
rpm-2.3-1.i386.rpm: size md5 OK
#
</PRE>
<!-- END CODE SNIP //-->

<P><CENTER>
<a href="0093-0096.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="0100-0100.html">Next</A>
</CENTER></P>





</td>
</tr>
</table>
<!-- begin footer information -->




</body></html>