On Mon, Mar 10, 2008 at 06:29:50PM +0100, Ralf Ertzinger wrote:
Hi.
On Mon, 10 Mar 2008 09:20:08 -0800, Jeff Spaleta wrote
> Any way you can have this tool also test the key signatures of
> packages in the iso?
> This came up in fab concerning hosting externally built isos as part
> of a tiered collection of spins. Is it possible for your tool, or a
> related tool that you can build this week, to verify that the livecd
> contents come from packages signed by the Fedora key (or a specific
> group of keys)?
What do you gain by doing that? Unless you turn every bit on the iso
around you can not be sure that the packages are not tampered with after
installation.
I started looking into this. rpm -V verifies the md5sums of the
individual files. Running 'rpm -V' for each rpm on the ccLiveCD-2.0
only turned up a dozen or so pacakges with any changes at all, all of
them trivial configuration changes.
rpm -V does not, AFAICT, try recreating the original rpm, to compare
the gpg signature. For our purposes, I think it would be fair to
assume, that if the package is signed, by one of the Fedora keys, and
if it's 'rpm -V' output was clean, that it is unchanged. Where 'rpm
-V' reports something, or if a package is not signed (such as the
cc-home RPM on the above CD), it will require manual review.
Now which RPM tag carries the gpg key used to create the signature?
If anyone knows, I can probably hack this up pretty easily, next
week...
Thanks,
Matt
--
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com &
www.dell.com/linux