Bug 86173

Summary: scripts for checking source distribution signatures.
Product: [Retired] Red Hat Linux Reporter: Jeremiah Johnson <jjohnson>
Component: rpmAssignee: Paul Nasrat <nobody+pnasrat>
Status: CLOSED WONTFIX QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: mitr
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-26 21:36:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeremiah Johnson 2003-03-15 22:09:23 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312

Description of problem:
Hello all,

I just finished up my scripts and I'd like to post them here and get some 
feedback.  

rpm-md5-check.sh - If you have source.tar.gz, and source.tar.gz.md5 this script 
compares the md5sums.

rpm-gpg-check.sh - If you have source.tar.gz, and source.tar.gz.sig or 
source.tar.gz.asc this script verifies the gpg/pgp signatures.
Script will also automagically download the keyfile from your keyserver if you 
don't already have it.  Script also takes the keyid as an
arguement.  Also has colorful messages compared to the md5 script, I care more 
about gpg verification than md5 for obvious reasons.

If the scripts fail, they exit 2 so you can check your files.

These scripts should also be available on the website soon. (we're in the 
middle of moving to a new server.. fun)

usage is pretty easy.  here is the example from my openssh.spec:

%prep
[ -x /usr/lib/rpm/rpm-md5-check.sh ] && SOURCE=%{name}-%{version}.tar.gz 
/usr/lib/rpm/rpm-md5-check.sh
[ -x /usr/lib/rpm/rpm-gpg-check.sh ] && SOURCE=%{name}-%{version}.tar.gz 
/usr/lib/rpm/rpm-gpg-check.sh 86FF9C48
%setup -q

here is some sample output:

MD5

+ SOURCE=wget-1.8.2.tar.gz
+ /usr/lib/rpm/rpm-md5-check.sh
Source md5 verification file found.
Verifing...
/usr/space/distro/organized_sources/wget ~/rpm_build/BUILD
wget-1.8.2.tar.gz: OK
~/rpm_build/BUILD
Verfication complete.
md5sum's are the same.
+ cd /home/miah/rpm_build/BUILD
+ rm -rf wget-1.8.2


GPG

+ SOURCE=openssh-3.5p1.tar.gz
+ /usr/lib/rpm/rpm-md5-check.sh
Source md5 verification file not found.
+ '[' -x /usr/lib/rpm/rpm-gpg-check.sh ']'
+ SOURCE=openssh-3.5p1.tar.gz
+ /usr/lib/rpm/rpm-gpg-check.sh 86FF9C48
Source gpg verification file found. [.sig]
gpg: Signature made Fri Oct  4 06:34:43 2002 GMT-5 using DSA key ID 86FF9C48
gpg: Good signature from "Damien Miller (Personal Key) <djm>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3981 992A 1523 ABA0 79DB  FC66 CE8E CB03 86FF 9C48
SUCCESS: Source verification completed.
+ cd /home/miah/rpm_build/BUILD
+ rm -rf openssh-3.5p1


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Use the scripts.
two.
three.

Additional info:

The scripts are available for download from:

http://www.sunrise-linux.com/~miah/rpm-gpg-check.sh
http://www.sunrise-linux.com/~miah/rpm-md5-check.sh

In the future, the scripts will likely be located under
http://www.sunrise-linux.com/projects.  If this changes I will update this
bugzilla entry.

md5-check isn't very portable right now because of the use of the md5sum command
with the -c option (which isnt available on other OS's).

gpg-check uses some ansi color codes to make errors a little more noticable.
Comment 1 Jeff Johnson 2003-03-22 20:10:10 UTC 
The scripts look useful, but need the following changes:
    a) the signature checking loads key to keyring, assumes
    that there is a keyring attached to the user building
    a package, and that the user has configured hkp server, etc.
    This isn't generally true with, say, a automated build system.
    Could you try loading key into local keyring from file? Assume
    that argv[1] follows usual *.sig *.asc gpg conventions.\

    b) The colorization assumes a linux console. Could
     you remove, or, (even better) extract parameters from
     configured TERM if present? Any of dialog/slang/expect
     (or your favorite interpreter) might be useful.

Thanks.
Comment 2 Paul Nasrat 2005-09-26 21:36:25 UTC 
The scripts are no longer available - please reopen mail rpm-devel-list if you
still wish this for consideration for a future rpm release