Hi all,
I hav a few questions concerning up2date.
1) What is RedHat's GPG key? Up2date said it was going to "install the key" but didn't say what the key was.
2) How can I ensure that the packages I download are from RedHat/Fedora and not spoofed/trojaned? (By the man in middle attack)
Thanks, --TongKe
On Thu, Sep 30, 2004 at 04:18:57PM -0700, TongKe Xue wrote:
Hi all,
I hav a few questions concerning up2date.
- What is RedHat's GPG key? Up2date said it was going to "install the
key" but didn't say what the key was.
The RPM-GPG-KEY is included in the top (root) of the CD images and is also available under the /usr/share/rhn directory
- How can I ensure that the packages I download are from
RedHat/Fedora and not spoofed/trojaned? (By the man in middle attack)
That is supposedly what the GPG keys do. For rawhide, however, they don't usually sign all the packages. To some extent you have to trust the connections to wherever. If you have a real reason for paranoia you might want to consider buying a distribution rather than downloading it.
Am Fr, den 01.10.2004 schrieb TongKe Xue um 1:18:
- What is RedHat's GPG key? Up2date said it was going to "install the
key" but didn't say what the key was.
http://www.fedorafaq.org/#gpgsig
- How can I ensure that the packages I download are from
RedHat/Fedora and not spoofed/trojaned? (By the man in middle attack)
This is the intend of the GPG signing and md5sum. You can run
rpm -Kv packagename-version.arch.rpm
and check the output.
rpm or the "frontends" up2date or yum handle the signature and checksum checking automatically.
--TongKe
Alexander
-
Alexander Dalloz -
G.Wolfe Woodbury -
TongKe Xue