On Mon, Dec 30, 2002 at 10:57:42PM +0100, Ralf S. Engelschall wrote: > On Mon, Dec 30, 2002, Matthias Kurz wrote: > > > > > When i try to verify the pgp signature of a src.rpm, i always get > > > > "MD5 sum OK: ...." - nothing with pgp. > > > > E.g.: > > > > rpm -v --checksig mutt-1.4i-20021230.src.rpm > > > > mutt-1.4i-20021230.src.rpm: > > > > MD5 sum OK: cd03b408c67b07ac7720cae8ee02e246 > > > > > > > > I installed gpg, imported the pgp public key and set "$_signature pgp" > > > > in my $HOME/.rpmmacros. > > > > > > > > What am i doing wrong ? > > > > > > Only RPMs of OpenPKG _releases_ are signed. The OpenPKG-CURRENT RPMs > > > are not signed -- mainly because signing requires the OpenPKG master > > > key which is not available all the time while developers working > > > on OpenPKG-CURRENT packages. It is only available in the release > > > engineering process. > > > > So, how can one validate a "current" package. MD5 sums _in_ the package > > do not look very secure to me :) > > Yes, sorry, OpenPKG-CURRENT packages currently cannot verified at all. > But perhaps we should create a less-secured GPG sub-key just for signing > the OpenPKG-CURRENT packages on the FTP server?
Looking at the latest trojans, i think this is necessary. > > Especially, what about openpkg-*.src.sh ? > > This is just a shell-script, you cannot add easily a signature!? Sure. But then there should be a "very public" known key (on a web site and so on, md5 or whatever) - i hope you're verifying your keys/checksums on a very regular basis (at least daily, with tripwire or some such). That the last stage installation requires root privileges makes the packages a "valuable" target (at least). The world is bad. (mk) -- Matthias Kurz; Fuldastr. 3; D-28199 Bremen; VOICE +49 421 53 600 47 >> Im prämotorischen Cortex kann jeder ein Held sein. (bdw) << ______________________________________________________________________ The OpenPKG Project www.openpkg.org User Communication List [EMAIL PROTECTED]