LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 02-14-2014, 04:07 PM   #1
scryptkiddy
LQ Newbie
 
Registered: Jan 2014
Posts: 10

Rep: Reputation: Disabled
How to validate yum installed packages


This is probably something really simple.


I've run an update cmd to get the latest packages for my RHEL 6 system with:
Code:
# yum update
After it finished, I wanted to see if one of the newly updated packages (libxfont in this case) was indeed valid via hash check.

Looking at the RHN security documents section at this link here, I saw the package name and md5 /sha256 values for my particular architecture for libxfont.

So I'm a little stuck on how to compare that value to what was installed on my system.
I ran the following command to get information on the libxfont package on my system:

Code:
# yum info 
...
Installed Packages
Name        : libXfont
Arch        : x86_64
Version     : 1.4.5
Release     : 3.el6_5
Size        : 295 k
Repo        : installed
From repo   : rhel-6-server-rpms
Summary     : X.Org X11 libXfont runtime library
URL         : http://www.x.org
License     : MIT
Description : X.Org X11 libXfont runtime library
#
However, there is no output for MD5 or SHA256 values. What command do I run to get the system (via yum / rpm / whatever) to tell me the md5 / sha256 values for the libxfont package now updated on my system?

SK

Last edited by scryptkiddy; 02-14-2014 at 04:43 PM. Reason: grammar
 
Old 02-14-2014, 04:45 PM   #2
scryptkiddy
LQ Newbie
 
Registered: Jan 2014
Posts: 10

Original Poster
Rep: Reputation: Disabled
I did find rpm command that did something similar:

Code:
# rpm -qi libXfont-1.4.5-3.el6_5.x86_64
Name        : libXfont                     Relocations: (not relocatable)
Version     : 1.4.5                             Vendor: Red Hat, Inc.
Release     : 3.el6_5                       Build Date: Wed 08 Jan 2014 07:08:50 PM UTC
Install Date: Fri 24 Jan 2014 06:56:12 PM UTC      Build Host: x86-022.build.eng.bos.redhat.com
Group       : System Environment/Libraries   Source RPM: libXfont-1.4.5-3.el6_5.src.rpm
Size        : 301619                           License: MIT
Signature   : RSA/8, Thu 09 Jan 2014 10:04:24 AM UTC, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.x.org
Summary     : X.Org X11 libXfont runtime library
Description :
X.Org X11 libXfont runtime library
#
There is a "Signature" output though, but still nothing for the md5 or sha256 values of the package.

Ideas?
 
Old 02-15-2014, 12:33 PM   #3
DavidMcCann
Senior Member
 
Registered: Jul 2006
Location: London
Distribution: CentOS, Salix
Posts: 3,319

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
I've always assumed that the validating is done by yum. You could always download a package, validate the checksum, and then install it with yum.
 
Old 02-15-2014, 12:47 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 28,179
Blog Entries: 54

Rep: Reputation: 3142Reputation: 3142Reputation: 3142Reputation: 3142Reputation: 3142Reputation: 3142Reputation: 3142Reputation: 3142Reputation: 3142Reputation: 3142Reputation: 3142
Quote:
Originally Posted by scryptkiddy View Post
What command do I run to get the system (via yum / rpm / whatever) to tell me the md5 / sha256 values for the libxfont package now updated on my system?
Code:
rpm -q --dump libXfont
Note the digest is SHA256.
Also note if you use prelink then the digest may not match so run
Code:
rpm -Vv libXfont
instead and watch the "5".
 
Old 02-15-2014, 04:04 PM   #5
jefro
Guru
 
Registered: Mar 2008
Posts: 12,328

Rep: Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561
That fix also is supposed to have some script that fixes older stuff if I read it correctly.

I agree that most users would rely on the software manager. One could check shal or md5 of each installed file too. You'd think they would make a simple tool that monitors that daily or weekly.
 
Old 02-15-2014, 04:44 PM   #6
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,157

Rep: Reputation: 333Reputation: 333Reputation: 333Reputation: 333
I don't know which version of yum you're using (The most recent is 3.4.3), but even the current version in Fedora 20 validates each install. Here's a brief selection from the output from my most recent F20 yum upgrade run:
Code:
  Cleanup    : policycoreutils-restorecond-2.2.5-1.fc20.x86_64          181/185 
  Cleanup    : python3-matplotlib-1.3.0-1.fc20.x86_64                   182/185 
  Cleanup    : ibus-chewing-1.4.3-4.fc20.x86_64                         183/185 
  Cleanup    : bluez-5.13-1.fc20.x86_64                                 184/185 
  Cleanup    : libyaml-0.1.4-5.fc20.x86_64                              185/185 
  Verifying  : libvirt-daemon-driver-nodedev-1.1.3.3-5.fc20.x86_64        1/185 
  Verifying  : libvirt-daemon-driver-libxl-1.1.3.3-5.fc20.x86_64          2/185 
  Verifying  : mate-panel-1.6.2-1.fc20.x86_64                             3/185 
  Verifying  : nautilus-extensions-3.10.1-3.fc20.x86_64                   4/185 
  Verifying  : 1:java-1.7.0-openjdk-headless-1.7.0.60-2.4.5.1.fc20.x8     5/185 
  Verifying  : 1:java-1.7.0-openjdk-1.7.0.60-2.4.5.1.fc20.x86_64          6/185 
  Verifying  : libyaml-0.1.4-6.fc20.x86_64                                7/185 
  Verifying  : 1:perl-Archive-Extract-0.72-1.fc20.noarch                  8/185
 
Old 02-15-2014, 08:10 PM   #7
jefro
Guru
 
Registered: Mar 2008
Posts: 12,328

Rep: Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561Reputation: 1561
How is it verifying the files? md5 or shal or simply by a file reporting that it is up to date?
 
Old 02-17-2014, 01:29 AM   #8
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,157

Rep: Reputation: 333Reputation: 333Reputation: 333Reputation: 333
A quick grep of /usr/lib/python2.7/site-packages/yum/*.py suggests that, at a minimum, the GPG signature of all packages is verified (unless, of course, you've opted to ignore PGP verification), and that the checksum of each file in every package is also verified. (Those two checks have, of course, almost always been in yum. )

In packages.py, there's this list of possible "problems" with a package:
Code:
class _PkgVerifyProb:
    """ Holder for each "problem" we find with a pkg.verify(). """
    _RPMVERIFY_DIGEST   = (1 << 0)
    _RPMVERIFY_FILESIZE = (1 << 1)
    _RPMVERIFY_LINKTO   = (1 << 2)
    _RPMVERIFY_USER     = (1 << 3)
    _RPMVERIFY_GROUP    = (1 << 4)
    _RPMVERIFY_MTIME    = (1 << 5)
    _RPMVERIFY_MODE     = (1 << 6)
    _RPMVERIFY_RDEV     = (1 << 7)
    _RPMVERIFY_CAPS     = (1 << 8)
    _RPMVERIFY_CONTEXTS = (1 << 15)
How each of those is checked is, I beleive, in the packages.py code if you want more detail.
 
Old 02-17-2014, 04:35 AM   #9
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,401

Rep: Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081
As above, normally yum checks/verifies as it loads.
You can also use
Code:
rpm {-V|--verify} [select-options] [verify-options]
http://linux.die.net/man/8/rpm
 
Old 02-18-2014, 02:18 PM   #10
scryptkiddy
LQ Newbie
 
Registered: Jan 2014
Posts: 10

Original Poster
Rep: Reputation: Disabled
Thanks guys for the replies, although they weren't what I was looking for. I agree that "yum is supposed to do that for me". And it does it well.
However, I needed to prove the below statements to my upper management (who is not technical which is why they want all this).

-The hash/checksum of the libXfont rpm file (not each file the installed, thanks anyway though unSpawn).
-This has to be the rpm file that yum downloaded.
-It has to match the hash/checksum that the vendor gives.

I talked to Red Hat, they gave me an interesting solution, so I figured I'd share it. The biggest problem I had with management is proving to them that the hash/checksum of the rpm file I was looking 'was in fact the exact file that yum downloaded' (even though we all know yum does that for us, management wanted to see the checksum values).

Red Hat told me that when you install a package via yum, yum does download an rpm, then validates its hash/checksum, installs the package, updates the yumdb, then removes the rpm. So I was like...great, so the rpm file is removed, how can I get the hash for that file. I asked if I could somehow 'query that yum db' they mentioned to get the hash/checksum of the rpm file that was used and they said yes.

Here is what they recommended for my situation (and I agree it is redundant to prove to someone what yum already proves, but anyway):
1. Query the package to get the name
# rpm -q libXfont
libXfont-1.4.5-2.el6.x86_64

2. Download the file that yum will download when using the yum upgrade command (this was key for me):
# yumdownloader $result_from_one_above
...
Loaded plugins: product-id, refresh-packagekit, rhnplugin
This system is receiving updates from RHN Classic or RHN Satellite.
libXfont-1.4.5-2.el6.x86_64.rpm

3. Now validate via sha256 (or whatever checksum type you want) of the rpm file in step 2
# sha256sum libXfont-1.4.5-2.el6.x86_64.rpm
9be0c46a152aef5b8b64e2b17cf01b1c62ede2f0f6fa68a5b91b34dcd7bccd69 libXfont-1.4.5-2.el6.x86_64.rpm


4. Now query the db (that yum updates) for the hash/checksum of the rpm package that yum installed (this was the other key for me):
# yumdb info libXfont
libXfont-1.4.5-2.el6.x86_64
changed_by = 500
checksum_data = 9be0c46a152aef5b8b64e2b17cf01b1c62ede2f0f6fa68a5b91b34dcd7bccd69
checksum_type = sha256
command_line = update
from_repo = rhel-x86_64-server-6
from_repo_timestamp = 1381166124
installed_by = 4294967295
reason = dep
releasever = 6Server


checksum_data = 9be0c46a152aef5b8b64e2b17cf01b1c62ede2f0f6fa68a5b91b34dcd7bccd69
9be0c46a152aef5b8b64e2b17cf01b1c62ede2f0f6fa68a5b91b34dcd7bccd69



This was what yum upgrade already does, I know. But I had to prove that what yum installed had the same checksum as the rpm that Red Hat provided for a patch. They basically were going to force me to download rpms and install manually instead of using yum...gotta love management.

Hope this helps clarify what I needed and helps someone in the future.

Last edited by scryptkiddy; 02-18-2014 at 03:17 PM. Reason: grammar
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS/RedHat: How to list all packages I installed via yum? sysbox Linux - Newbie 7 10-03-2013 03:21 PM
YUM Search Result - How to tell if any of the listed packages are installed? Akhran Red Hat 6 07-17-2013 05:46 PM
Couldn't validate Packages! cccc Debian 6 02-24-2011 01:22 PM
yum and packagekit - list installed packages and dependencies allele Linux - Newbie 2 06-24-2009 04:31 PM
yum unable to detect the installed packages ? gopiindiaever Linux - Software 3 09-18-2006 03:24 AM


All times are GMT -5. The time now is 11:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration