appendix-g.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

G.2.1. Obtaining PGP
</H4>

<P>The first step in being able to verify .rpm files is to get a copy of PGP. Unfortunately, this is
not quite as simple as it might sound. The reason is that PGP is very controversial stuff.
</P>

<P>Why the controversy? It centers on PGP's primary mission: to provide a means of
communicating with others in complete privacy. As we've discussed, PGP uses encryption to
provide this privacy. Good encryption. Very good encryption. Encryption so good, it appears that
some of the world's governments consider PGP a threat to their national security.
</P>

<H4>
G.2.1.1. Know Your Laws!
</H4>

<P>Various countries have differing stands on the use of &quot;strong encryption&quot; products such as
PGP. In some countries, possession of encryption software is strictly forbidden. Other countries
attempt to control the flow of encryption technology into (or out of) their countries. It is
vital that you know your country's laws, lest you find yourself in prison, or possibly in front of
a firing squad!
</P>

<A NAME="PAGENUM-421"><P>Page 421</P></A>



<H4>
G.2.1.2. Patent/Licensing Issues Surrounding PGP
</H4>

<P>Over and above PGP's legal status, there are other aspects to PGP that people living in
the U.S. and Canada should keep in mind:
</P>

<UL>
<LI>          PGP is
free&#151;for noncommercial use only. If you are going to use PGP for
business purposes, you should look into getting a commercial copy. PGP is marketed in
the United States by
<P>Pretty Good Privacy, Inc.<br>
2121 S. El Camino Real<BR>
Suite 902<BR>
San Mateo, CA 94403<BR>
Phone: 415-572-0430<BR>
Fax: 415-572-1932<BR>
<!-- CODE SNIP //-->
<PRE>
<A HREF="http://www.pgp.com/">
http://www.pgp.com/</A>
</PRE>
<!-- END CODE SNIP //-->
</P>
<LI>          Part of the software that comprises PGP is protected by several
U.S. patents. Versions of PGP approved for use in the United States contain a licensed version of
this software, known as RSAREF, which includes a patent license that allows the use of
the software in noncommercial settings only. Commercial use of
the technology contained in RSAREF requires a separate license. This is one reason there are restrictions on
the commercial use of PGP in the United States and Canada.
<P>          While people outside the United States and Canada can use RSAREF-based
PGP, they will probably choose the so-called international version.
This version replaces RSAREF with software known as MPILIB. MPILIB is, in general, faster
than RSAREF, but it cannot legally be used in the United States or Canada.
</UL>

<P>To summarize, if you are using PGP for commercial purposes in the United States or
Canada, you'll need to purchase it. Otherwise, people living in the United States or Canada should
use a version of PGP incorporating RSAREF. People in other countries can use any version of
PGP they desire, although they'll probably choose the MPILIB-based international version.
(Note that there are no commercial restrictions regarding PGP in countries other than the
United States and Canada.)
</P>

<H4>
G.2.1.3. Getting RSAREF-Based PGP
</H4>

<P>The official source for the latest version of PGP based on RSAREF is the Massachusetts
Institute of Technology. Due to the restrictions on the export of encryption technology,
the process is somewhat convoluted. The easiest way to obtain PGP from the official MIT archive
is to use the World Wide Web. Point your Web browser to
</P>
<!-- CODE SNIP //-->
<PRE>
<A HREF="http://web.mit.edu/network/pgp.html">
http://web.mit.edu/network/pgp.html</A>
</PRE>
<!-- END CODE SNIP //-->

<P>Simply follow the steps, and you'll have the necessary software on your system in no time.
</P>

<A NAME="PAGENUM-422"><P>Page 422</P></A>



<P>There is a more cumbersome method that doesn't use the Web. It involves first using
anonymous FTP to obtain several files of instructions and license agreements. You will then be
directed to use telnet to obtain the name of a temporary FTP directory containing the PGP
software. Finally, you can use anonymous FTP to retrieve the software. To start this process, FTP to
</P>

<!-- CODE SNIP //-->
<PRE>
net-dist.mit.edu
</PRE>
<!-- END CODE SNIP //-->

<P>
and then change the directory to
</P>

<!-- CODE SNIP //-->
<PRE>
/pub/PGP
</PRE>
<!-- END CODE SNIP //-->

<P>Obtain a copy of the file README and follow the instructions in it exactly.
</P>

<P>If all this seems like too much trouble, there is another alternative. You can find copies of
PGP on just about any BBS, FTP, or Web site advertising freely available software. Be aware,
however, that Floyd's Storm Door and BBS Company may not be as trustworthy a place as MIT
to obtain encryption software. It's really a question of how paranoid you are.
</P>

<H4>
G.2.1.4. Outside the United States and Canada
</H4>

<P>For people living in other countries, it is much easier to find PGP (depending on the legality
of encryption software, of course). Try any of the places you'd normally
look for free software. Keep in mind, however, that you shouldn't download PGP from any sites in the U.S.
Doing so is considered an &quot;export&quot; of munitions, and can get the people responsible for the site
in deep trouble. Wherever you eventually get PGP, since the patents that complicate matters
for the United States do not apply abroad, you'll probably end up with the international
version of PGP.
</P>

<H4>
G.2.2. Building PGP
</H4>

<P>Building PGP is mostly a matter of following instructions. However, users of ELF-based
Linux distributions (such as Red Hat Linux) will find that PGP will not build. The problem,
according to the PGP FAQ, is that two files do not properly handle the C preprocessor directives
that affect support for ELF. The changes are to two files:
80386.S and zmatch.S. Near the beginning of each, you'll find either an
#ifndef or an #ifdef for SYSV. If you find
</P>

<!-- CODE SNIP //-->
<PRE>
#ifndef SYSV
</PRE>
<!-- END CODE SNIP //-->

<P>it should be changed to read
</P>

<!-- CODE SNIP //-->
<PRE>
#if !defined(SYSV) &amp;&amp; !defined(__ELF__)
</PRE>
<!-- END CODE SNIP //-->

<P>If you find
</P>

<!-- CODE SNIP //-->
<PRE>
#ifdef SYSV
</PRE>
<!-- END CODE SNIP //-->

<P>
it should be changed to read
</P>

<!-- CODE SNIP //-->
<PRE>
#if defined(SYSV) || defined(____ELF____)

</PRE>
<!-- END CODE SNIP //-->
<A NAME="PAGENUM-423"><P>Page 423</P></A>

<P>After you make these changes, PGP should build with no problems.
</P>

<H4>
G.2.3. Ready to Go!
</H4>

<P>After building and installing PGP, you're ready to start using RPM's package-signature
capabilities. If your primary interest is in checking the signatures on packages built by
someone else, see Chapter 7, &quot;Using RPM to Verify Package Files,&quot; which will tell you everything
you need to know.
</P>

<P>On the other hand, if you are a package builder and would like to start signing packages,
see Chapter 17, &quot;Adding PGP Signatures to a Package,&quot; and it will have you signing packages
in no time.
</P>

<A NAME="PAGENUM-424"><P>Page 424</P></A>




<P><CENTER>
<a href="appendix-f.html">Previous</a> | <a href="ewtoc.html">Table of Contents</a> | </CENTER></P>



</td>
</tr>
</table>
<!-- begin footer information -->



</body></html>