Chapter 7

Using RPM to Verify
Package Files

Table 7.1. Package verification syntax and options.

7.1. rpm -K: What Does It Do?

One aspect of RPM is that you can get a package from the Internet and easily install it. But what do you know about that package file? Is the organization listed as being the vendor of the package really the organization that built it? Did someone make unauthorized changes to it? Can you trust that, if installed, it won't mail a copy of your password file to a system cracker?

Features built into RPM allow you to make sure that the package file you've just gotten won't cause you problems after it's installed, whether the package was corrupted by line noise when you downloaded it or something more sinister happened to it.

The command rpm -K (the option --checksig is equivalent) verifies a package file. Using this command, it is easy to make sure the file has not been changed in any way. rpm -K can also be used to make sure that the package was actually built by the organization listed as being the package's vendor. That's all very impressive, but how does it do that? Well, it just needs help from some "pretty good" software.

7.1.1. Pretty Good Privacy: RPM's Assistant

The "pretty good" software we're referring to is known as pretty good privacy, or PGP. While all the information on PGP could fill a book (or several), we've provided a quick introduction to help you get started.

If PGP is new to you, a quick glance through Appendix G, "An Introduction to PGP," should get you well on your way to understanding, building, and installing PGP. If, on the other hand, you've got PGP already installed and have sent an encrypted message or two, you're probably more than ready to continue with this chapter.

7.2. Configuring PGP for rpm -K

After PGP is properly built and installed, the actual configuration for RPM is trivial. Here's what needs to be done:

1. PGP must be in your path. If PGP's usage message doesn't come up when you enter pgp at your shell prompt, you'll need to add PGP's directory to your path.
2. PGP must be able to find the public keyring file that you want to use when checking package file signatures. You can use two methods to direct PGP to the public keyring:
   • Set the PGPPATH environment variable to point to the directory containing the public keyring file.
   • Set the pgp_path rpmrc file entry to point to the directory containing the public keyring file. For more information on rpmrc files, rpmrc file entries, and how to use them, please see Appendix B, "The rpmrc File."

Now we're ready.

7.3. Using rpm -K

After all the preliminaries with PGP, it's time to get down to business. First, we need to get the package builder's public key and add it to the public keyring file used by RPM. You'll need to do this once for each package builder whose packages you'll want to check. This is what you'll need to do:

# pgp -ka RPM-PGP-KEY ./pubring.pgp

Pretty Good Privacy(tm) 2.6.3a - Public-key encryption for the masses.

(c) 1990-96 Philip Zimmermann, Phil's Pretty Good Software. 1996-03-04

Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.

Distributed by the Massachusetts Institute of Technology.

Export of this software may be restricted by the U.S. government.

Current time: 1996/06/01 22:50 GMT



Looking for new keys...

pub 1024/CBA29BF9 1996/02/20 Red Hat Software, Inc. <redhat@redhat.com>



Checking signatures...





Keyfile contains:

1 new key(s)



One or more of the new keys are not fully certified.

Do you want to certify any of these keys yourself (y/N)? n

#

Here we've added Red Hat Software's public key, since we're going to check some package files produced by them. The file RPM-PGP-KEY contains the key. At the end, PGP asks whether

we want to certify the new key. We've answered no because it isn't necessary to certify keys to verify package files.

Next, we'll verify a package file:

# rpm -K rpm-2.3-1.i386.rpm

rpm-2.3-1.i386.rpm: size pgp md5 OK

#

While the output might seem somewhat anticlimactic, we can now be nearly 100% certain that this package was produced by Red Hat Software, Inc., and is unchanged from Red Hat's original copy.

The output from this command shows that there are actually three distinct features of the package file that are checked by the -K option:

• The size message indicates that the size of the packaged files has not changed.
• The pgp message indicates that the digital signature contained in the package file is a valid signature of the package file contents, and was produced by the organization that originally signed the package.
• The md5 message indicates that a checksum contained in the package file and calculated when the package was built matches a checksum calculated by RPM during verification. Because the two checksums match, it is unlikely that the package has been modified.

The OK means that each of these tests was successful. If any had failed, the name would have been printed in parentheses. A bit later in the chapter, we'll see what happens when there are verification problems.

7.3.1. -v: Display Additional Information

Adding v to a verification command will produce more interesting output:

# rpm -Kv rpm-2.3-1.i386.rpm

rpm-2.3-1.i386.rpm:

Header+Archive size OK: 278686 bytes

Good signature from user "Red Hat Software, Inc. <redhat@redhat.com>".

Signature made 1996/12/24 18:37 GMT using 1024-bit key, key ID CBA29BF9

With a bit of digging, we can see that each of the three tests was performed, and each passed. The reason for that dire-sounding warning is that PGP is meant to operate without a central authority managing key distribution. PGP certifies keys based on webs of trust. For example,