How to verify Samba RPM Files?

Vince George (vincgeor) vincgeor at cisco.com
Wed Oct 22 16:57:35 MDT 2014 

Hi,

Thanks for the reply but the -v verification check suggested in the link you offered is to check on already installed rpm packages. 

I am concerned about the integrity of the RPM files and authenticating signatures of the files I have just downloaded from the internet before installing them to ensure they have not been tampered with in any way! The -K option apparently does this but you can see from the output of the two command-lines I invoked that it cannot verify the signatures and complains " NOT OK (MISSING KEYS: GPG#f4428b1a)".  I am thinking I need to supply a public key file using the -rcfile option.

For example, for the latest release link on the  www.samba.org page they provide a link (http://ftp.samba.org/pub/samba/samba-pubkey.asc) to a public key for verification of the gunzip'ed file.

So it's back to the question of how to validate the integrity of the RPM files and authenticate the signatures? Where can I get the relative public keys?

Thanks... Vince

-----Original Message-----
From: Jelmer Vernooij [mailto:jelmer at samba.org] 
Sent: Wednesday, October 22, 2014 6:34 PM
To: Vince George (vincgeor)
Cc: samba-technical at lists.samba.org
Subject: Re: How to verify Samba RPM Files?

Hi Vince,

On Wed, Oct 22, 2014 at 10:15:57PM +0000, Vince George (vincgeor) wrote:
> I have downloaded a RHEL5 release including several Samba RPM files and I want to verify their integrity & authenticity.
> 
> It's the first time I am using rpm and ran the two command-lines against a Samba rpm file...
> 
> 1st Command-Line: : rpm -K samba3-3.6.24-45.el5.x86_64.rpm
> 
> samba3-3.6.24-45.el5.x86_64.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK 
> (MISSING KEYS: GPG#f4428b1a)
> 
> 2nd Command-Line: :  rpm -K -v samba3-3.6.24-45.el5.x86_64.rpm
> 
> samba3-3.6.24-45.el5.x86_64.rpm:
>     Header V4 DSA signature: NOKEY, key ID f4428b1a
>     Header SHA1 digest: OK (0ba26692ea1fa6c5fc19d4bf9ae5b5f6b2f8a5dd)
>     MD5 digest: OK (3f09dc73be6069fd79b2a32ee6e3b51a)
>     V4 DSA signature: NOKEY, key ID f4428b1a
> 
> How do I verify the signatures of the Samba RPM? Am I missing some public key file?

This is more of a RHEL-specific question rather than relating specifically to Samba. http://www.rpm.org/max-rpm/ch-rpm-verify.html seems to have some documentation, but you could also ask on one of the RedHat mailing lists.

Jelmer

More information about the samba-technical mailing list