On 20/10/99 Hugo Bouckaert wrote:
>I have come across something very strange. Pgp signatures for some rpm
>updates don't seem to give me the OK:
>
> > rpm -K lpr-0.44-1.i386.rpm
> > lpr-0.44-1.i386.rpm: size md5 GPG NOT OK
>
>Yes when I install anyway, if install OK and (in this case) printing
>works OK as well.
>
>Frankly I am not sure what GPG stands for. Anyone knows what is going on
>here?
yes, RPMs have 2 signatures one is a simple MD5sum that is used to
ensure the archive is intact and undamaged, the other is the optional
PGP/GPG signatures which are cryptographically secure, make by Pretty
Good Privacy or GNU Privacy Guard, the maintainer of the package
should and usually does sign them with his GPG/PGP key so only he can
create the signature, redhat rpms are always signed by the redhat
key. if a GPG/PGP sig does not verify that means either a) you do
not have the needed public key to verify the signature, or that key
is not considered valid by GPG (because you did not verify that it is
genuine and certified it or have a trusted key that certified it) or
b) the archive has been tampered with and the files it contains could
be trojans.
its a very good idea to verify PGP/GPG signatures on all software you
download especially from redhat and whatnot. if they do not match I
would NOT install it anyway.
Ethan Benson
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OpenPGP encrypted mail accepted.
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
Key FingerPrint: 371A 7416 5D39 CF2D 9366 8AF6 0139 54F5 3EBD 0FE6
RSA Key FingerPrint: DE8B 74D0 79F1 6176 9AF5 120F 47AD 9B0A
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
