From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312 Description of problem: Hello all, I just finished up my scripts and I'd like to post them here and get some feedback. rpm-md5-check.sh - If you have source.tar.gz, and source.tar.gz.md5 this script compares the md5sums. rpm-gpg-check.sh - If you have source.tar.gz, and source.tar.gz.sig or source.tar.gz.asc this script verifies the gpg/pgp signatures. Script will also automagically download the keyfile from your keyserver if you don't already have it. Script also takes the keyid as an arguement. Also has colorful messages compared to the md5 script, I care more about gpg verification than md5 for obvious reasons. If the scripts fail, they exit 2 so you can check your files. These scripts should also be available on the website soon. (we're in the middle of moving to a new server.. fun) usage is pretty easy. here is the example from my openssh.spec: %prep [ -x /usr/lib/rpm/rpm-md5-check.sh ] && SOURCE=%{name}-%{version}.tar.gz /usr/lib/rpm/rpm-md5-check.sh [ -x /usr/lib/rpm/rpm-gpg-check.sh ] && SOURCE=%{name}-%{version}.tar.gz /usr/lib/rpm/rpm-gpg-check.sh 86FF9C48 %setup -q here is some sample output: MD5 + SOURCE=wget-1.8.2.tar.gz + /usr/lib/rpm/rpm-md5-check.sh Source md5 verification file found. Verifing... /usr/space/distro/organized_sources/wget ~/rpm_build/BUILD wget-1.8.2.tar.gz: OK ~/rpm_build/BUILD Verfication complete. md5sum's are the same. + cd /home/miah/rpm_build/BUILD + rm -rf wget-1.8.2 GPG + SOURCE=openssh-3.5p1.tar.gz + /usr/lib/rpm/rpm-md5-check.sh Source md5 verification file not found. + '[' -x /usr/lib/rpm/rpm-gpg-check.sh ']' + SOURCE=openssh-3.5p1.tar.gz + /usr/lib/rpm/rpm-gpg-check.sh 86FF9C48 Source gpg verification file found. [.sig] gpg: Signature made Fri Oct 4 06:34:43 2002 GMT-5 using DSA key ID 86FF9C48 gpg: Good signature from "Damien Miller (Personal Key) <djm>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 3981 992A 1523 ABA0 79DB FC66 CE8E CB03 86FF 9C48 SUCCESS: Source verification completed. + cd /home/miah/rpm_build/BUILD + rm -rf openssh-3.5p1 Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: Use the scripts. two. three. Additional info: The scripts are available for download from: http://www.sunrise-linux.com/~miah/rpm-gpg-check.sh http://www.sunrise-linux.com/~miah/rpm-md5-check.sh In the future, the scripts will likely be located under http://www.sunrise-linux.com/projects. If this changes I will update this bugzilla entry. md5-check isn't very portable right now because of the use of the md5sum command with the -c option (which isnt available on other OS's). gpg-check uses some ansi color codes to make errors a little more noticable.
The scripts look useful, but need the following changes: a) the signature checking loads key to keyring, assumes that there is a keyring attached to the user building a package, and that the user has configured hkp server, etc. This isn't generally true with, say, a automated build system. Could you try loading key into local keyring from file? Assume that argv[1] follows usual *.sig *.asc gpg conventions.\ b) The colorization assumes a linux console. Could you remove, or, (even better) extract parameters from configured TERM if present? Any of dialog/slang/expect (or your favorite interpreter) might be useful. Thanks.
The scripts are no longer available - please reopen mail rpm-devel-list if you still wish this for consideration for a future rpm release