SDB:Check the validity of a SUSE RPM or ISO file
Verifying the Signatures of SUSE RPM or ISO Files
Concern
You want to verify the signature of a SUSE RPM or SUSE ISO image file.
Background
All RPMs or ISOs provided by SUSE are signed with a gpg signature. The key number the files are signed with is 0x9c800aca.
# gpg --fingerprint --list-key 0x9c800aca pub 1024D/9C800ACA 2000-10-19 [expires: 2008-06-21] Key fingerprint = 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA uid SuSE Package Signing Key sub 2048g/8495160C 2000-10-19 [expires: 2008-06-21]
This public key is provided by the gpg-pubkey-9c800aca.rpm package, which is (usually) installed on every SUSE system.
# rpm -qi gpg-pubkey-9c800aca Name : gpg-pubkey Relocations: (not relocatable) Version : 9c800aca Vendor: (none) Release : 40d8063e Build Date: Fri Mar 18 13:38:40 2005 Install date: Fri Mar 18 13:38:40 2005 Build Host: localhost Group : Public Keys Source RPM: (none) Size : 0 License: pubkey Signature : (none) Summary : gpg(SuSE Package Signing Key ) Description : -----BEGIN PGP PUBLIC KEY BLOCK----- Version: rpm-4.1.1 (beecrypt-2.2.0) mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff4JctBsgs 47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA +okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D +wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDi Jtr99Rs6xa0ScZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp 8bEhELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn 4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHA eSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohiBBMRAgAiBQJA2AY+AhsDBQkObd+9 BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtronIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0s IwCffG9bCNnrETPlgOn+dGEkAWegKL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL 512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7Lm AD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3Xo UNDVwM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzne OA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPA gJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYv B6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BuQIN BDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08 IQSMNRaq4VgSe+PdYgIy0fbj23Via5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAK tmgR0ERUTafTM9Wb6F13CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0 S5nLrHbIvGLp271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWR HqlEt5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMGB/9g +9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZwrbSTM5LpC/U6 sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6TtIJlGG6pqUN8QxGJYQnon l0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFLrWn7mfoGx6INQjf3HGQpMXAWuSBQ hzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5HRKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWn ZpiWiR83oi32+xtWUY2U7Ae38mMag8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoF CQ5t3+gACgkQqE7a6JyACspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9 kOV6uq71sUuO =pJli -----END PGP PUBLIC KEY BLOCK----- Distribution: (none)
The public key can also be downloaded from any key server (e.g., blackhole.pca.dfn.de).
RPM itself has a mechanism for signing the package without an additional signature file. The signature is stored in the RPM package. See man 8 rpm for more information about this RPM feature.
Text files (e.g., e-mail or SUSE patch-information files) can be signed by appending the signature to the respective file.
This is not possible with ISO images. Therefore, we provide the signatures for ISO images in a separate .asc file such as the following:
# cat SLES-9-SP-1-i386-RC5-CD3.iso.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQBB7UtlqE7a6JyACsoRAqTeAJ0Uq2oq+k8gWxjRGdIlEqV7dNcMvwCe JU+zFCM5Q2WfwmXw4LZjCRzWk3A= =lkm/ -----END PGP SIGNATURE-----
Examples
The ISO image SLES-9-SP-1-i386-RC5-CD3.iso has the signature SLES-9-SP-1-i386-RC5-CD3.iso.asc. To verify the signature, execute the following command:
# gpg --verify SLES-9-SP-1-i386-RC5-CD3.iso.asc SLES-9-SP-1-i386-RC5-CD3.iso gpg: Signature made Tue Jan 18 18:46:13 2005 CET using DSA key ID 9C800ACA gpg: Good signature from "SuSE Package Signing Key "
This shows that the package was signed with the SUSE build key and the signature is valid.
Another example for the RPM package postfix.rpm:
To verify the signature, execute the following command:
# rpm -v -qp --checksig postfix.rpm Header SHA1 digest: OK (485aa97377bc4ae4013ffeb3992e59211d3fba57) MD5 digest: OK (ef6f9bcab1197e0923ca0c2e6b2dc8e9) V3 DSA signature: OK, key ID 9c800aca
The output for gpg shows the key ID of the SUSE build key and the validity of the signature.
Stichwörter (sdb_keywords): gpg,build-key,signature,check,verify,rpm
SDB:YOU Reports Problems Verifying Patch Signatures
SDB:YOU or RPM Report Problems Verifying Package Signatures
<keyword>gpg,build-key,signature,checkrpm</keyword>