At 10:05 AM 11/21/01 +0100, Mariusz Pekala wrote: >> It lets you detect if file has been changed or corrupted by accident or >> error rather than by someone's malicious action. > >No. >1) Modified file also has its md5 sum. >2) The md5 of the modified file will be different than the md5 of an >unmodified one. >How the rpm finds what is the unmodified md5?
You can view an RPM file as three pieces: The actual installable package, the MD5 checksum of the installable package, and an (optional) GPG signature for the installable package. The MD5 checksum block is actually part of the rpm file, and gives the checksum of the rest of the file (I'm don't think this includes the GPG signature, but it doesn't really matter). The probability that random errors in the file would produce an rpm file with a valid MD5 checksum block is small enough not to really be worth considering. (The MD5 checksum is 128 bits long with excellent dispersion, so if I remember my probability theory the odds that a particular checksum will be correct for a randomly altered block of data are about 340282366920938463463374607431768211456 to 1 against). The problem with MD5 checksums as a file verification is that all they tell you is that at some point somebody calculated the MD5 checksum of the installable package part of the RPM file. It doesn't tell you who did it or when (i.e. I can download an rpm file, modify the installable package and then calculate the MD5 checksum for the modified package and put that into the RPM file as well, then "rpm --checksig --nogpg" will tell you that the file is ok. This is why we have GPG signatures as well. Provided that you have the correct public key(s) for RPM distributors you trust (Redhat puts its public keys up on its website somewhere AFAIR) checking the GPG signature tells you (if the signature is valid) that whoever made up the RPM package had a copy of the private key corresponding to whatever public key you used to check the signature. We hope Redhat, or whoever, keeps careful track of their private keys so that we can assume that if one of Redhat's private keys was used to sign an RPM file it implies that Redhat approved of the RPM file's contents. If you also decide that you trust Redhat to only approve safe software, then it follows that any RPM with a good GPG signature from Redhat is itself safe, regardless of where you got it from. -- "Yes, I am paranoid," said the old king, "but am I paranoid enough?" _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
