How to Verify Software before installation?

a49002 · 03-13-2007, 12:58 AM

Folks,

I am new to Linux and wondering what the process is to verify software packages before installation. Specifically, I want to install GnuCash 2.0.5 into Ubuntu. The Sourceforge website has the GnuCash download links plus a .sig file. When I try and verify the .sig file against the downloaded gnucash.gz file I get a warning that there is no public Key?

Unfortunately, there are no MD5 sums shown at the website so what is the usual process for checking software? Do I have to firstly import a Key for GnuCash from a Key server?

I appreciate any help or direction.

Paul

Simon Bridge · 03-13-2007, 02:59 AM

What is wrong with:

sudo apt-get install gnucash

(To verify a file, you must download the public key as well. Available from the same website.)

a49002 · 03-13-2007, 03:40 AM

Quote:

Originally Posted by Simon Bridge

What is wrong with:

sudo apt-get install gnucash

(To verify a file, you must download the public key as well. Available from the same website.)

Thanks for the reply. There has to be a reason Websites include a .sig file for verification (as is the case often with MD5) and with a piece of software that holds all ones personal finance records it makes sense to me to verify that the file is untampered with, especially if downloading from a mirror. I will look for the public key. Thanks.

Paul

pixellany · 03-13-2007, 08:01 AM

If someone is going to tamper with an application file and post it to a mirror, then they can also tamper with the public key.

Assuming your data is backed up, then the risk of simply installing does not seem terribly high.

BUT--why not get Gnucash from the Ubuntu repository????

Simon Bridge · 03-13-2007, 08:14 PM

Quote:

When I try and verify the .sig file against the downloaded gnucash.gz file I get a warning that there is no public Key?

The error message means you need to get the public key.

Presumably there is also a reason sites include checksums and ask you verify the package against them. You were the one asking how to verify packages. Perhaps you need to be more specific about what it is about the package you want to verify?

Note: tampering with software is a fundamental right in OSS/FS. Asking for untampered-with software would seem to defeat the purpose. So I imagine you are concerned about malicious tampering?

If a distributer is concerned about things of this nature, they will usually sign the web page (ssh certificates and things of such ilk). Things you get from that web page would then come from them (with high assurance, i.e. over an ssh tunnel.) and is unlikely to be tampered with en-route.