How to validate yum installed packages
This is probably something really simple.
I've run an update cmd to get the latest packages for my RHEL 6 system with: Code:
# yum update Looking at the RHN security documents section at this link here, I saw the package name and md5 /sha256 values for my particular architecture for libxfont. So I'm a little stuck on how to compare that value to what was installed on my system. I ran the following command to get information on the libxfont package on my system: Code:
# yum info SK |
I did find rpm command that did something similar:
Code:
# rpm -qi libXfont-1.4.5-3.el6_5.x86_64 Ideas? |
I've always assumed that the validating is done by yum. You could always download a package, validate the checksum, and then install it with yum.
|
Quote:
Code:
rpm -q --dump libXfont Also note if you use prelink then the digest may not match so run Code:
rpm -Vv libXfont |
That fix also is supposed to have some script that fixes older stuff if I read it correctly.
I agree that most users would rely on the software manager. One could check shal or md5 of each installed file too. You'd think they would make a simple tool that monitors that daily or weekly. |
I don't know which version of yum you're using (The most recent is 3.4.3), but even the current version in Fedora 20 validates each install. Here's a brief selection from the output from my most recent F20 yum upgrade run:
Code:
Cleanup : policycoreutils-restorecond-2.2.5-1.fc20.x86_64 181/185 |
How is it verifying the files? md5 or shal or simply by a file reporting that it is up to date?
|
A quick grep of /usr/lib/python2.7/site-packages/yum/*.py suggests that, at a minimum, the GPG signature of all packages is verified (unless, of course, you've opted to ignore PGP verification), and that the checksum of each file in every package is also verified. (Those two checks have, of course, almost always been in yum. :))
In packages.py, there's this list of possible "problems" with a package: Code:
class _PkgVerifyProb: |
As above, normally yum checks/verifies as it loads.
You can also use Code:
rpm {-V|--verify} [select-options] [verify-options] |
Thanks guys for the replies, although they weren't what I was looking for. I agree that "yum is supposed to do that for me". And it does it well.
However, I needed to prove the below statements to my upper management (who is not technical which is why they want all this). -The hash/checksum of the libXfont rpm file (not each file the installed, thanks anyway though unSpawn). -This has to be the rpm file that yum downloaded. -It has to match the hash/checksum that the vendor gives. I talked to Red Hat, they gave me an interesting solution, so I figured I'd share it. The biggest problem I had with management is proving to them that the hash/checksum of the rpm file I was looking 'was in fact the exact file that yum downloaded' (even though we all know yum does that for us, management wanted to see the checksum values). Red Hat told me that when you install a package via yum, yum does download an rpm, then validates its hash/checksum, installs the package, updates the yumdb, then removes the rpm. So I was like...great, so the rpm file is removed, how can I get the hash for that file. :( I asked if I could somehow 'query that yum db' they mentioned to get the hash/checksum of the rpm file that was used and they said yes. Here is what they recommended for my situation (and I agree it is redundant to prove to someone what yum already proves, but anyway): 1. Query the package to get the name # rpm -q libXfont libXfont-1.4.5-2.el6.x86_64 2. Download the file that yum will download when using the yum upgrade command (this was key for me): # yumdownloader $result_from_one_above ... Loaded plugins: product-id, refresh-packagekit, rhnplugin This system is receiving updates from RHN Classic or RHN Satellite. libXfont-1.4.5-2.el6.x86_64.rpm 3. Now validate via sha256 (or whatever checksum type you want) of the rpm file in step 2 # sha256sum libXfont-1.4.5-2.el6.x86_64.rpm 9be0c46a152aef5b8b64e2b17cf01b1c62ede2f0f6fa68a5b91b34dcd7bccd69 libXfont-1.4.5-2.el6.x86_64.rpm 4. Now query the db (that yum updates) for the hash/checksum of the rpm package that yum installed (this was the other key for me): # yumdb info libXfont libXfont-1.4.5-2.el6.x86_64 changed_by = 500 checksum_data = 9be0c46a152aef5b8b64e2b17cf01b1c62ede2f0f6fa68a5b91b34dcd7bccd69 checksum_type = sha256 command_line = update from_repo = rhel-x86_64-server-6 from_repo_timestamp = 1381166124 installed_by = 4294967295 reason = dep releasever = 6Server checksum_data = 9be0c46a152aef5b8b64e2b17cf01b1c62ede2f0f6fa68a5b91b34dcd7bccd69 9be0c46a152aef5b8b64e2b17cf01b1c62ede2f0f6fa68a5b91b34dcd7bccd69 This was what yum upgrade already does, I know. But I had to prove that what yum installed had the same checksum as the rpm that Red Hat provided for a patch. They basically were going to force me to download rpms and install manually instead of using yum...gotta love management. Hope this helps clarify what I needed and helps someone in the future. |
All times are GMT -5. The time now is 06:47 PM. |