[Samba] How to verify Samba RPM Files?
Vince George (vincgeor)
vincgeor at cisco.com
Wed Oct 22 17:57:59 MDT 2014
Just an update... I found the "Sernet" keys which can be installed as an rpm package itself on the page: https://portal.enterprisesamba.com/
Of course now it appears I need to be root to install anything but that's ok... we will be ready to go with all packages working with the infrastructure folks tomorrow!
From: Jelmer Vernooij [mailto:jelmer at samba.org]
Sent: Wednesday, October 22, 2014 7:28 PM
To: Vince George (vincgeor)
Cc: samba at samba.org
Subject: Re: How to verify Samba RPM Files?
[ Moving samba-technical@ to bcc, since this is not a development question. ]
On Wed, Oct 22, 2014 at 11:13:47PM +0000, Vince George (vincgeor) wrote:
> I think I am starting to get the picture and I am not clear I have
> downloaded RHEL owned rpm files.. Note I started from this Samba site
> http://www.enterprisesamba.com/samba-packages/red-hats-rhel/ and then
> clicked here:
> http://www.enterprisesamba.com/samba-packages/red-hats-rhel/ then
> ending up here: http://ftp.sernet.de/pub/samba/3.6/rhel/5/x86_64/
> where I downloaded the rpm files
> Does RHEL own these builds & rpms?
Ah, I see what you mean. One of the SerNet Samba folks should hopefully be able to answer that question.
> -----Original Message-----
> From: Jelmer Vernooij [mailto:jelmer at samba.org]
> Sent: Wednesday, October 22, 2014 7:02 PM
> To: Vince George (vincgeor)
> Cc: samba-technical at lists.samba.org
> Subject: Re: How to verify Samba RPM Files?
> On Wed, Oct 22, 2014 at 10:57:35PM +0000, Vince George (vincgeor) wrote:
> > Thanks for the reply but the -v verification check suggested in the link you offered is to check on already installed rpm packages.
> > I am concerned about the integrity of the RPM files and authenticating signatures of the files I have just downloaded from the internet before installing them to ensure they have not been tampered with in any way! The -K option apparently does this but you can see from the output of the two command-lines I invoked that it cannot verify the signatures and complains " NOT OK (MISSING KEYS: GPG#f4428b1a)". I am thinking I need to supply a public key file using the -rcfile option.
> > For example, for the latest release link on the www.samba.org<http://www.samba.org> page they provide a link (http://ftp.samba.org/pub/samba/samba-pubkey.asc) to a public key for verification of the gunzip'ed file.
> > So it's back to the question of how to validate the integrity of the RPM files and authenticate the signatures? Where can I get the relative public keys?
> The public key on the samba website is used by the Samba release manager for our files. The RPMs shipped with RHEL are signed by RedHat.
> Your question is a RHEL-specific one, please ask on a RHEL-specific
> list - e.g. http://www.redhat.com/mailman/listinfo/rhelv5-list
> > -----Original Message-----
> > From: Jelmer Vernooij [mailto:jelmer at samba.org]
> > Sent: Wednesday, October 22, 2014 6:34 PM
> > To: Vince George (vincgeor)
> > Cc:
> > samba-technical at lists.samba.org<mailto:samba-technical at lists.samba.o
> > rg>
> > Subject: Re: How to verify Samba RPM Files?
> > Hi Vince,
> > On Wed, Oct 22, 2014 at 10:15:57PM +0000, Vince George (vincgeor) wrote:
> > > I have downloaded a RHEL5 release including several Samba RPM files and I want to verify their integrity & authenticity.
> > >
> > > It's the first time I am using rpm and ran the two command-lines against a Samba rpm file...
> > >
> > > 1st Command-Line: : rpm -K samba3-3.6.24-45.el5.x86_64.rpm
> > >
> > > samba3-3.6.24-45.el5.x86_64.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK
> > > (MISSING KEYS: GPG#f4428b1a)
> > >
> > > 2nd Command-Line: : rpm -K -v samba3-3.6.24-45.el5.x86_64.rpm
> > >
> > > samba3-3.6.24-45.el5.x86_64.rpm:
> > > Header V4 DSA signature: NOKEY, key ID f4428b1a
> > > Header SHA1 digest: OK (0ba26692ea1fa6c5fc19d4bf9ae5b5f6b2f8a5dd)
> > > MD5 digest: OK (3f09dc73be6069fd79b2a32ee6e3b51a)
> > > V4 DSA signature: NOKEY, key ID f4428b1a
> > >
> > > How do I verify the signatures of the Samba RPM? Am I missing some public key file?
> > This is more of a RHEL-specific question rather than relating specifically to Samba. http://www.rpm.org/max-rpm/ch-rpm-verify.html seems to have some documentation, but you could also ask on one of the RedHat mailing lists.
> > Jelmer
More information about the samba