Bug 86173 - scripts for checking source distribution signatures.
scripts for checking source distribution signatures.
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: rpm (Show other bugs)
8.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Paul Nasrat
Mike McLean
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-03-15 17:09 EST by Jeremiah Johnson
Modified: 2007-04-18 12:52 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-26 17:36:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeremiah Johnson 2003-03-15 17:09:23 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312

Description of problem:
Hello all,

I just finished up my scripts and I'd like to post them here and get some 
feedback.  

rpm-md5-check.sh - If you have source.tar.gz, and source.tar.gz.md5 this script 
compares the md5sums.

rpm-gpg-check.sh - If you have source.tar.gz, and source.tar.gz.sig or 
source.tar.gz.asc this script verifies the gpg/pgp signatures.
Script will also automagically download the keyfile from your keyserver if you 
don't already have it.  Script also takes the keyid as an
arguement.  Also has colorful messages compared to the md5 script, I care more 
about gpg verification than md5 for obvious reasons.

If the scripts fail, they exit 2 so you can check your files.

These scripts should also be available on the website soon. (we're in the 
middle of moving to a new server.. fun)

usage is pretty easy.  here is the example from my openssh.spec:

%prep
[ -x /usr/lib/rpm/rpm-md5-check.sh ] && SOURCE=%{name}-%{version}.tar.gz 
/usr/lib/rpm/rpm-md5-check.sh
[ -x /usr/lib/rpm/rpm-gpg-check.sh ] && SOURCE=%{name}-%{version}.tar.gz 
/usr/lib/rpm/rpm-gpg-check.sh 86FF9C48
%setup -q

here is some sample output:

MD5

+ SOURCE=wget-1.8.2.tar.gz
+ /usr/lib/rpm/rpm-md5-check.sh
Source md5 verification file found.
Verifing...
/usr/space/distro/organized_sources/wget ~/rpm_build/BUILD
wget-1.8.2.tar.gz: OK
~/rpm_build/BUILD
Verfication complete.
md5sum's are the same.
+ cd /home/miah/rpm_build/BUILD
+ rm -rf wget-1.8.2


GPG

+ SOURCE=openssh-3.5p1.tar.gz
+ /usr/lib/rpm/rpm-md5-check.sh
Source md5 verification file not found.
+ '[' -x /usr/lib/rpm/rpm-gpg-check.sh ']'
+ SOURCE=openssh-3.5p1.tar.gz
+ /usr/lib/rpm/rpm-gpg-check.sh 86FF9C48
Source gpg verification file found. [.sig]
gpg: Signature made Fri Oct  4 06:34:43 2002 GMT-5 using DSA key ID 86FF9C48
gpg: Good signature from "Damien Miller (Personal Key) <djm@mindrot.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3981 992A 1523 ABA0 79DB  FC66 CE8E CB03 86FF 9C48
SUCCESS: Source verification completed.
+ cd /home/miah/rpm_build/BUILD
+ rm -rf openssh-3.5p1


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Use the scripts.
two.
three.

Additional info:

The scripts are available for download from:

http://www.sunrise-linux.com/~miah/rpm-gpg-check.sh
http://www.sunrise-linux.com/~miah/rpm-md5-check.sh

In the future, the scripts will likely be located under
http://www.sunrise-linux.com/projects.  If this changes I will update this
bugzilla entry.

md5-check isn't very portable right now because of the use of the md5sum command
with the -c option (which isnt available on other OS's).

gpg-check uses some ansi color codes to make errors a little more noticable.
Comment 1 Jeff Johnson 2003-03-22 15:10:10 EST
The scripts look useful, but need the following changes:
    a) the signature checking loads key to keyring, assumes
    that there is a keyring attached to the user building
    a package, and that the user has configured hkp server, etc.
    This isn't generally true with, say, a automated build system.
    Could you try loading key into local keyring from file? Assume
    that argv[1] follows usual *.sig *.asc gpg conventions.\

    b) The colorization assumes a linux console. Could
     you remove, or, (even better) extract parameters from
     configured TERM if present? Any of dialog/slang/expect
     (or your favorite interpreter) might be useful.

Thanks.
Comment 2 Paul Nasrat 2005-09-26 17:36:25 EDT
The scripts are no longer available - please reopen mail rpm-devel-list if you
still wish this for consideration for a future rpm release

Note You need to log in before you can comment on or make changes to this bug.