SDB:Check the validity of a SUSE RPM or ISO file

Şuraya atla: kullan, ara


Verifying the Signatures of SUSE RPM or ISO Files

Concern

You want to verify the signature of a SUSE RPM or SUSE ISO image file.

Background

All RPMs or ISOs provided by SUSE are signed with a gpg signature. The key number the files are signed with is 0x9c800aca.

 # gpg --fingerprint --list-key 0x9c800aca
 pub   1024D/9C800ACA 2000-10-19 [expires: 2008-06-21]
       Key fingerprint = 79C1 79B2 E1C8 20C1 890F  9994 A84E DAE8 9C80 0ACA
 uid                  SuSE Package Signing Key 
sub   2048g/8495160C 2000-10-19 [expires: 2008-06-21]

This public key is provided by the gpg-pubkey-9c800aca.rpm package, which is (usually) installed on every SUSE system.

 # rpm -qi gpg-pubkey-9c800aca
 Name        : gpg-pubkey                   Relocations: (not
 relocatable)
 Version     : 9c800aca                          Vendor: (none)
 Release     : 40d8063e                      Build Date: Fri Mar 18
 13:38:40 2005
 Install date: Fri Mar 18 13:38:40 2005      Build Host: localhost
 Group       : Public Keys                   Source RPM: (none)
 Size        : 0                                License: pubkey
 Signature   : (none)
 Summary     : gpg(SuSE Package Signing Key )
 Description :
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: rpm-4.1.1 (beecrypt-2.2.0)

 mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff4JctBsgs
 47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA
 +okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D
 +wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDi
 Jtr99Rs6xa0ScZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp
 8bEhELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn
 4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHA
 eSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
 YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohiBBMRAgAiBQJA2AY+AhsDBQkObd+9
 BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtronIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0s
 IwCffG9bCNnrETPlgOn+dGEkAWegKL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL
 512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7Lm
 AD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3Xo
 UNDVwM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzne
 OA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPA
 gJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYv
 B6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BuQIN
 BDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08
 IQSMNRaq4VgSe+PdYgIy0fbj23Via5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAK
 tmgR0ERUTafTM9Wb6F13CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0
 S5nLrHbIvGLp271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWR
 HqlEt5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMGB/9g
 +9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZwrbSTM5LpC/U6
 sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6TtIJlGG6pqUN8QxGJYQnon
 l0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFLrWn7mfoGx6INQjf3HGQpMXAWuSBQ
 hzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5HRKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWn
 ZpiWiR83oi32+xtWUY2U7Ae38mMag8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoF
 CQ5t3+gACgkQqE7a6JyACspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9
 kOV6uq71sUuO
 =pJli
 -----END PGP PUBLIC KEY BLOCK-----

 Distribution: (none)
 

The public key can also be downloaded from any key server (e.g., blackhole.pca.dfn.de).

RPM itself has a mechanism for signing the package without an additional signature file. The signature is stored in the RPM package. See man 8 rpm for more information about this RPM feature.

Text files (e.g., e-mail or SUSE patch-information files) can be signed by appending the signature to the respective file.

This is not possible with ISO images. Therefore, we provide the signatures for ISO images in a separate .asc file such as the following:

 # cat SLES-9-SP-1-i386-RC5-CD3.iso.asc
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.7 (GNU/Linux)

 iD8DBQBB7UtlqE7a6JyACsoRAqTeAJ0Uq2oq+k8gWxjRGdIlEqV7dNcMvwCe
 JU+zFCM5Q2WfwmXw4LZjCRzWk3A=
 =lkm/
 -----END PGP SIGNATURE-----
 

Examples

The ISO image SLES-9-SP-1-i386-RC5-CD3.iso has the signature SLES-9-SP-1-i386-RC5-CD3.iso.asc. To verify the signature, execute the following command:

 # gpg --verify SLES-9-SP-1-i386-RC5-CD3.iso.asc SLES-9-SP-1-i386-RC5-CD3.iso
 gpg: Signature made Tue Jan 18 18:46:13 2005 CET using DSA key ID 9C800ACA
 gpg: Good signature from "SuSE Package Signing Key "

This shows that the package was signed with the SUSE build key and the signature is valid.

Another example for the RPM package postfix.rpm:

To verify the signature, execute the following command:

 # rpm -v -qp --checksig postfix.rpm
     Header SHA1 digest: OK (485aa97377bc4ae4013ffeb3992e59211d3fba57)
     MD5 digest: OK (ef6f9bcab1197e0923ca0c2e6b2dc8e9)
     V3 DSA signature: OK, key ID 9c800aca
 

The output for gpg shows the key ID of the SUSE build key and the validity of the signature.

Stichwörter (sdb_keywords): gpg,build-key,signature,check,verify,rpm

SDB:YOU Reports Problems Verifying Patch Signatures

SDB:YOU or RPM Report Problems Verifying Package Signatures


<keyword>gpg,build-key,signature,checkrpm</keyword>