On Fri, 2005-07-01 at 14:16 -0500, Michael Yep wrote: > Hello > > I installed a rpm on my system that I got off the web. > How can I know if it is a trusted package ? > > [winston@localhost ~]$ rpm -vvK compat-libstdc++-296-2.96-132.fc4.i386.rpm > D: Expected size: 178657 = lead(96)+sigs(344)+pad(0)+data(178217) > D: Actual size: 178657 > D: opening db index /var/lib/rpm/Packages rdonly mode=0x0 > D: locked db index /var/lib/rpm/Packages > D: opening db index /var/lib/rpm/Pubkeys rdonly mode=0x0 > D: read h# 279 Header sanity check: OK > D: ========== DSA pubkey id b44269d0 4f2a6fd2 (h#279) > compat-libstdc++-296-2.96-132.fc4.i386.rpm: > Header V3 DSA signature: OK, key ID 4f2a6fd2 > Header SHA1 digest: OK (dcd6900d5f8126232eee364b4662fe7e38155377) > MD5 digest: OK (b0580787dce3f1a1bbf9774340d20cf8) > V3 DSA signature: OK, key ID 4f2a6fd2 > D: closed db index /var/lib/rpm/Pubkeys > D: closed db index /var/lib/rpm/Packages > D: May free Score board((nil)) > [winston@localhost ~]$ > > I forget where I even downloaded it from, but I didn't import anything > to my keyring. > What keys come with FC4? Look in /etc/pki/rpm-gpg > Which ones are trusted? Anything that's in there has presumably been put there as a result of a package installation (you could use "rpm -qf /etc/pki/rpm-gpg/filename" to see which package a key belongs to) and it should be reasonable for you to trust any key provided by a package you've already installed, if you're careful as you appear to be about these things. > I understand the the package has the correct checksum, but can I trust > the signer ? The key in this case is the RPM-GPG-KEY-fedora one. Decide for yourself :-) Paul. -- Paul Howarth <paul@xxxxxxxxxxxx>
