How to verify Samba RPM Files?

Jelmer Vernooij jelmer at samba.org
Wed Oct 22 17:01:53 MDT 2014 

On Wed, Oct 22, 2014 at 10:57:35PM +0000, Vince George (vincgeor) wrote:
> Thanks for the reply but the -v verification check suggested in the link you offered is to check on already installed rpm packages. 
> 
> I am concerned about the integrity of the RPM files and authenticating signatures of the files I have just downloaded from the internet before installing them to ensure they have not been tampered with in any way! The -K option apparently does this but you can see from the output of the two command-lines I invoked that it cannot verify the signatures and complains " NOT OK (MISSING KEYS: GPG#f4428b1a)".  I am thinking I need to supply a public key file using the -rcfile option.
> 
> For example, for the latest release link on the  www.samba.org page they provide a link (http://ftp.samba.org/pub/samba/samba-pubkey.asc) to a public key for verification of the gunzip'ed file.
> 
> So it's back to the question of how to validate the integrity of the RPM files and authenticate the signatures? Where can I get the relative public keys?

The public key on the samba website is used by the Samba release manager for our files. The RPMs shipped with RHEL are signed by RedHat. 

Your question is a RHEL-specific one, please ask on a RHEL-specific list - e.g. http://www.redhat.com/mailman/listinfo/rhelv5-list

Jelmer


> -----Original Message-----
> From: Jelmer Vernooij [mailto:jelmer at samba.org] 
> Sent: Wednesday, October 22, 2014 6:34 PM
> To: Vince George (vincgeor)
> Cc: samba-technical at lists.samba.org
> Subject: Re: How to verify Samba RPM Files?
> 
> Hi Vince,
> 
> On Wed, Oct 22, 2014 at 10:15:57PM +0000, Vince George (vincgeor) wrote:
> > I have downloaded a RHEL5 release including several Samba RPM files and I want to verify their integrity & authenticity.
> > 
> > It's the first time I am using rpm and ran the two command-lines against a Samba rpm file...
> > 
> > 1st Command-Line: : rpm -K samba3-3.6.24-45.el5.x86_64.rpm
> > 
> > samba3-3.6.24-45.el5.x86_64.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK 
> > (MISSING KEYS: GPG#f4428b1a)
> > 
> > 2nd Command-Line: :  rpm -K -v samba3-3.6.24-45.el5.x86_64.rpm
> > 
> > samba3-3.6.24-45.el5.x86_64.rpm:
> >     Header V4 DSA signature: NOKEY, key ID f4428b1a
> >     Header SHA1 digest: OK (0ba26692ea1fa6c5fc19d4bf9ae5b5f6b2f8a5dd)
> >     MD5 digest: OK (3f09dc73be6069fd79b2a32ee6e3b51a)
> >     V4 DSA signature: NOKEY, key ID f4428b1a
> > 
> > How do I verify the signatures of the Samba RPM? Am I missing some public key file?
> 
> This is more of a RHEL-specific question rather than relating specifically to Samba. http://www.rpm.org/max-rpm/ch-rpm-verify.html seems to have some documentation, but you could also ask on one of the RedHat mailing lists.
> 
> Jelmer

More information about the samba-technical mailing list