How to verify Samba RPM Files?

Jelmer Vernooij jelmer at samba.org
Wed Oct 22 17:28:12 MDT 2014


[ Moving samba-technical@ to bcc, since this is not a development question. ]

On Wed, Oct 22, 2014 at 11:13:47PM +0000, Vince George (vincgeor) wrote:
> I think I am starting to get the picture and I am not clear I have downloaded RHEL owned rpm files.. Note I started from this Samba site http://www.enterprisesamba.com/samba-packages/red-hats-rhel/ and then clicked here: http://www.enterprisesamba.com/samba-packages/red-hats-rhel/  then here: http://www.enterprisesamba.com/samba-packages/red-hats-rhel/rhel-5/  ending up here:  http://ftp.sernet.de/pub/samba/3.6/rhel/5/x86_64/  where I downloaded the rpm files
> 
>  Does RHEL own these builds & rpms?

Ah, I see what you mean. One of the SerNet Samba folks should hopefully be able to answer that question.

Cheers,

Jelmer

> -----Original Message-----
> From: Jelmer Vernooij [mailto:jelmer at samba.org]
> Sent: Wednesday, October 22, 2014 7:02 PM
> To: Vince George (vincgeor)
> Cc: samba-technical at lists.samba.org
> Subject: Re: How to verify Samba RPM Files?
> 
> On Wed, Oct 22, 2014 at 10:57:35PM +0000, Vince George (vincgeor) wrote:
> > Thanks for the reply but the -v verification check suggested in the link you offered is to check on already installed rpm packages.
> >
> > I am concerned about the integrity of the RPM files and authenticating signatures of the files I have just downloaded from the internet before installing them to ensure they have not been tampered with in any way! The -K option apparently does this but you can see from the output of the two command-lines I invoked that it cannot verify the signatures and complains " NOT OK (MISSING KEYS: GPG#f4428b1a)".  I am thinking I need to supply a public key file using the -rcfile option.
> >
> > For example, for the latest release link on the  www.samba.org<http://www.samba.org> page they provide a link (http://ftp.samba.org/pub/samba/samba-pubkey.asc) to a public key for verification of the gunzip'ed file.
> >
> > So it's back to the question of how to validate the integrity of the RPM files and authenticate the signatures? Where can I get the relative public keys?
> 
> The public key on the samba website is used by the Samba release manager for our files. The RPMs shipped with RHEL are signed by RedHat.
> 
> Your question is a RHEL-specific one, please ask on a RHEL-specific list - e.g. http://www.redhat.com/mailman/listinfo/rhelv5-list
> 
> Jelmer
> 
> 
> > -----Original Message-----
> > From: Jelmer Vernooij [mailto:jelmer at samba.org]
> > Sent: Wednesday, October 22, 2014 6:34 PM
> > To: Vince George (vincgeor)
> > Cc: samba-technical at lists.samba.org<mailto:samba-technical at lists.samba.org>
> > Subject: Re: How to verify Samba RPM Files?
> >
> > Hi Vince,
> >
> > On Wed, Oct 22, 2014 at 10:15:57PM +0000, Vince George (vincgeor) wrote:
> > > I have downloaded a RHEL5 release including several Samba RPM files and I want to verify their integrity & authenticity.
> > >
> > > It's the first time I am using rpm and ran the two command-lines against a Samba rpm file...
> > >
> > > 1st Command-Line: : rpm -K samba3-3.6.24-45.el5.x86_64.rpm
> > >
> > > samba3-3.6.24-45.el5.x86_64.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK
> > > (MISSING KEYS: GPG#f4428b1a)
> > >
> > > 2nd Command-Line: :  rpm -K -v samba3-3.6.24-45.el5.x86_64.rpm
> > >
> > > samba3-3.6.24-45.el5.x86_64.rpm:
> > >     Header V4 DSA signature: NOKEY, key ID f4428b1a
> > >     Header SHA1 digest: OK (0ba26692ea1fa6c5fc19d4bf9ae5b5f6b2f8a5dd)
> > >     MD5 digest: OK (3f09dc73be6069fd79b2a32ee6e3b51a)
> > >     V4 DSA signature: NOKEY, key ID f4428b1a
> > >
> > > How do I verify the signatures of the Samba RPM? Am I missing some public key file?
> >
> > This is more of a RHEL-specific question rather than relating specifically to Samba. http://www.rpm.org/max-rpm/ch-rpm-verify.html seems to have some documentation, but you could also ask on one of the RedHat mailing lists.
> >
> > Jelmer
> 


More information about the samba-technical mailing list