Hi.
On Tue, 11 Mar 2008 08:33:49 -0500, Matt Domsch wrote:
I started looking into this. rpm -V verifies the md5sums of the
individual files. Running 'rpm -V' for each rpm on the ccLiveCD-2.0
only turned up a dozen or so pacakges with any changes at all, all of
them trivial configuration changes.
Ah, I overlooked that path.
rpm -V does not, AFAICT, try recreating the original rpm, to compare
the gpg signature. For our purposes, I think it would be fair to
assume, that if the package is signed, by one of the Fedora keys, and
if it's 'rpm -V' output was clean, that it is unchanged.
Yes, that would be true. rpm -V does not recreate the RPM, it does not
have to. It just needs a (digitally signed) list of files along with their
properties (size, mode, checksum).