[Samba] How to verify Samba RPM Files?

Vince George (vincgeor) vincgeor at cisco.com
Wed Oct 22 17:32:44 MDT 2014 

Thanks for your replies. I will hopefully get an added response from the SerNet folks .

But your comments led me to an obvious alternative source which is the RHEL install set where they distribute directly from the RHEL OS media (i.e. Samba is part of their OS distribution & optionally installed). I will pursue that avenue also with my client's infrastructure team.

Cheers... Vince

-----Original Message-----
From: Jelmer Vernooij [mailto:jelmer at samba.org] 
Sent: Wednesday, October 22, 2014 7:28 PM
To: Vince George (vincgeor)
Cc: samba at samba.org
Subject: Re: How to verify Samba RPM Files?


[ Moving samba-technical@ to bcc, since this is not a development question. ]

On Wed, Oct 22, 2014 at 11:13:47PM +0000, Vince George (vincgeor) wrote:
> I think I am starting to get the picture and I am not clear I have 
> downloaded RHEL owned rpm files.. Note I started from this Samba site 
> http://www.enterprisesamba.com/samba-packages/red-hats-rhel/ and then 
> clicked here: 
> http://www.enterprisesamba.com/samba-packages/red-hats-rhel/  then 
> here: 
> http://www.enterprisesamba.com/samba-packages/red-hats-rhel/rhel-5/  
> ending up here:  http://ftp.sernet.de/pub/samba/3.6/rhel/5/x86_64/  
> where I downloaded the rpm files
> 
>  Does RHEL own these builds & rpms?

Ah, I see what you mean. One of the SerNet Samba folks should hopefully be able to answer that question.

Cheers,

Jelmer

> -----Original Message-----
> From: Jelmer Vernooij [mailto:jelmer at samba.org]
> Sent: Wednesday, October 22, 2014 7:02 PM
> To: Vince George (vincgeor)
> Cc: samba-technical at lists.samba.org
> Subject: Re: How to verify Samba RPM Files?
> 
> On Wed, Oct 22, 2014 at 10:57:35PM +0000, Vince George (vincgeor) wrote:
> > Thanks for the reply but the -v verification check suggested in the link you offered is to check on already installed rpm packages.
> >
> > I am concerned about the integrity of the RPM files and authenticating signatures of the files I have just downloaded from the internet before installing them to ensure they have not been tampered with in any way! The -K option apparently does this but you can see from the output of the two command-lines I invoked that it cannot verify the signatures and complains " NOT OK (MISSING KEYS: GPG#f4428b1a)".  I am thinking I need to supply a public key file using the -rcfile option.
> >
> > For example, for the latest release link on the  www.samba.org<http://www.samba.org> page they provide a link (http://ftp.samba.org/pub/samba/samba-pubkey.asc) to a public key for verification of the gunzip'ed file.
> >
> > So it's back to the question of how to validate the integrity of the RPM files and authenticate the signatures? Where can I get the relative public keys?
> 
> The public key on the samba website is used by the Samba release manager for our files. The RPMs shipped with RHEL are signed by RedHat.
> 
> Your question is a RHEL-specific one, please ask on a RHEL-specific 
> list - e.g. http://www.redhat.com/mailman/listinfo/rhelv5-list
> 
> Jelmer
> 
> 
> > -----Original Message-----
> > From: Jelmer Vernooij [mailto:jelmer at samba.org]
> > Sent: Wednesday, October 22, 2014 6:34 PM
> > To: Vince George (vincgeor)
> > Cc: 
> > samba-technical at lists.samba.org<mailto:samba-technical at lists.samba.o
> > rg>
> > Subject: Re: How to verify Samba RPM Files?
> >
> > Hi Vince,
> >
> > On Wed, Oct 22, 2014 at 10:15:57PM +0000, Vince George (vincgeor) wrote:
> > > I have downloaded a RHEL5 release including several Samba RPM files and I want to verify their integrity & authenticity.
> > >
> > > It's the first time I am using rpm and ran the two command-lines against a Samba rpm file...
> > >
> > > 1st Command-Line: : rpm -K samba3-3.6.24-45.el5.x86_64.rpm
> > >
> > > samba3-3.6.24-45.el5.x86_64.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK 
> > > (MISSING KEYS: GPG#f4428b1a)
> > >
> > > 2nd Command-Line: :  rpm -K -v samba3-3.6.24-45.el5.x86_64.rpm
> > >
> > > samba3-3.6.24-45.el5.x86_64.rpm:
> > >     Header V4 DSA signature: NOKEY, key ID f4428b1a
> > >     Header SHA1 digest: OK (0ba26692ea1fa6c5fc19d4bf9ae5b5f6b2f8a5dd)
> > >     MD5 digest: OK (3f09dc73be6069fd79b2a32ee6e3b51a)
> > >     V4 DSA signature: NOKEY, key ID f4428b1a
> > >
> > > How do I verify the signatures of the Samba RPM? Am I missing some public key file?
> >
> > This is more of a RHEL-specific question rather than relating specifically to Samba. http://www.rpm.org/max-rpm/ch-rpm-verify.html seems to have some documentation, but you could also ask on one of the RedHat mailing lists.
> >
> > Jelmer
>

More information about the samba mailing list