SRPM lists for spins LiveISOs
Matt Domsch
Matt_Domsch at dell.com
Tue Mar 11 13:33:49 UTC 2008
On Mon, Mar 10, 2008 at 06:29:50PM +0100, Ralf Ertzinger wrote:
> Hi.
>
> On Mon, 10 Mar 2008 09:20:08 -0800, Jeff Spaleta wrote
>
> > Any way you can have this tool also test the key signatures of
> > packages in the iso?
> > This came up in fab concerning hosting externally built isos as part
> > of a tiered collection of spins. Is it possible for your tool, or a
> > related tool that you can build this week, to verify that the livecd
> > contents come from packages signed by the Fedora key (or a specific
> > group of keys)?
>
> What do you gain by doing that? Unless you turn every bit on the iso
> around you can not be sure that the packages are not tampered with after
> installation.
I started looking into this. rpm -V verifies the md5sums of the
individual files. Running 'rpm -V' for each rpm on the ccLiveCD-2.0
only turned up a dozen or so pacakges with any changes at all, all of
them trivial configuration changes.
rpm -V does not, AFAICT, try recreating the original rpm, to compare
the gpg signature. For our purposes, I think it would be fair to
assume, that if the package is signed, by one of the Fedora keys, and
if it's 'rpm -V' output was clean, that it is unchanged. Where 'rpm
-V' reports something, or if a package is not signed (such as the
cc-home RPM on the above CD), it will require manual review.
Now which RPM tag carries the gpg key used to create the signature?
If anyone knows, I can probably hack this up pretty easily, next
week...
Thanks,
Matt
--
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux
More information about the fedora-devel-list
mailing list