LinuxQuestions.org - A great method for keeping Slackware up-to-date...without slackpkg.

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - A great method for keeping Slackware up-to-date...without slackpkg. (https://www.linuxquestions.org/questions/slackware-14/a-great-method-for-keeping-slackware-up-to-date-without-slackpkg-785339/)

Quote:

Originally Posted by mRgOBLIN (Post 3847447)

Well in theory I guess it is possible but highly unlikely.

They would need to get the private key and know the pass-phrase for it before they could sign anything with it. One benefit of having a small development team is that not many people need or have access to this.

The passphrase is some protection, but could be subject to dictionary attacks and what have you. Best practice would be to only have the signing key on a standalone/offline box and transfer the packages via removable media to be signed on it.

As for md5. I believe that though engineering a md5 collision is possible, it's not all that easy or practical, and the most likely attack would be for the .md5 file itself to be replaced along with the file it relates to. A simple approach to protect against this is to always get the .md5 file and the package itself from different mirrors. I do this myself wherever a pgp signature isn't made available.

I've also seen projects that pgp clearsign the md5sums rather than the individual packages so you know the md5sums will be good without them needing to generate a pgp signature for every file/package.

However, where the pgp signatures are available it makes sense to use them for the added protection.

We do both and hence CHECKSUMS.md5.asc

Quote:

Originally Posted by mRgOBLIN (Post 3848194)

We do both and hence CHECKSUMS.md5.asc

Yep, that's probably the best way to do it. Just check that using gpg and then the md5sums using md5sum. I'll do that, I'll post the script here and on my site when it's ready.

Um, bit of a problem here:

Code:

bash-3.1$ gpg --import GPG-KEY 

gpg: key 40102233: "Slackware Linux Project <security@slackware.com>" not changed

gpg: Total number processed: 1

gpg:              unchanged: 1

bash-3.1$ gpg --verify CHECKSUMS.md5.asc 

gpg: Signature made Sun 24 Jan 2010 10:55:19 PM EET using DSA key ID 40102233

gpg: Good signature from "Slackware Linux Project <security@slackware.com>"

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: EC56 49DA 401E 22AB FA67  36EF 6A44 63C0 4010 2233

bash-3.1$ gpg --verify CHECKSUMS.md5.asc CHECKSUMS.md5

gpg: Signature made Sun 24 Jan 2010 10:55:19 PM EET using DSA key ID 40102233

gpg: Good signature from "Slackware Linux Project <security@slackware.com>"

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: EC56 49DA 401E 22AB FA67  36EF 6A44 63C0 4010 2233

Why does it say that ?

Why does it say what? Looks pretty standard output to me :scratch:

I think he means this part:

Code:

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

That seems like a failure to me. :scratch:

It's because the key hasn't been signed by anyone you trust. It's just a warning that you can't be certain the key is valid.
If you want to sign it yourself, to indicate that you know where it's come from and trust it to be good, you can use

"gpg --lsign-key 40102233"

This will have required you to setup your own signing key to do. I think there are also some options you can set to disable these warning, but I've always done it this way, as the warning are there for a reason.

Oh, ok, I get it, so it did work. Looks like I haven't used gpg in a while.

Just looked it up....

adding "--trusted-key 40102233" to the gpg command should be enough if you don't want to have to go to the trouble of creating a secret key and signing the key yourself.

I usually create a root@hostname key pair on each of my boxes that I use for the life of the system, for signing purposes. I usually set its passphrase to be the same as the root password so that I don't forget it.

errata: see post 74. I got the command slightly wrong above.

Thanks GazL for both above posts. That explains things much better than the gpg man page! I've never bothered before, but may just do one of these things.

Well thanks, but that didn't work, but I don't care too much, because it does return the right value and that's what matters, it succeeds even if it isn't trusted (like I care).

Anyway here's the final script, for now, but I will only be modifying it to add bug fixes and maybe some requested features, but so far it supports a blacklist, gpg, md5sum, and all that. It downloads only packages that you don't have installed.

Code:

#!/bin/sh

# download packages to update slackware

# this script is NOT meant to be run as root



# increase readability

tmpdir="/tmp/usu"

configdir="$HOME/.usu"

ftpmirror="ftp://ftp.slackware.at/slackware64-13.0/patches/"



# get checksums and .asc if newer

if ! wget -N -P "$configdir" "$ftpmirror/CHECKSUMS.md5*"

then

        echo

        echo 'Error downloading CHECKSUMS.md5 from server !'

        echo

        # fail

        exit 1

fi



# check gpg signature

if ! gpg --verify "$configdir/CHECKSUMS.md5.asc"

then

        echo

        echo 'ERROR: gpg fails to verify CHECKSUMS.md5.asc !'

        echo 'Make sure to run "gpg --import GPG-KEY" to import the key.'

        echo

        # fail

        exit 1

fi



# clean up temp dir from last time

rm -rf "$tmpdir"

mkdir -p "$tmpdir/packages"

cd "$tmpdir/packages"

grep -h 'PACKAGE LOCATION:' /var/log/packages/* | rev | cut -d / -f 1 | rev | xargs touch

cd ..



# exclude packages in the blacklist

if test -f "$configdir/blacklist"

then

        cd packages

        grep -f "$configdir/blacklist" "$configdir/CHECKSUMS.md5" | rev | cut -d / -f 1 | rev | xargs touch

        cd ..

fi



# sync with server (the -r means NOT recursive)

lftp -c "open $ftpmirror; mirror -r -e -n -I *.t?z --ignore-size packages"



# check for md5sum errors

find ./packages -size 0 -type f -delete

find ./packages -type f > downloaded

grep -f downloaded "$configdir/CHECKSUMS.md5" | grep '\./packages/.*\.t[gx]z$' > final.md5



if test -s final.md5

then

        if md5sum -c final.md5

        then

                # tell user to update the packages as root

                echo

                echo 'Run the following as root to upgrade slackware:'

                echo

                echo "upgradepkg --install-new $tmpdir/packages/*.t?z"

                echo

        else

                echo

                echo 'ERROR: md5sums do not match !'

                echo

                # fail

                exit 1

        fi

else

        echo

        echo 'Your system is up to date !'

        echo

fi



# success

exit 0

The blacklist should be regex because it is parsed by grep, and it would look like:

Code:

mozilla-firefox-.*\.t[gx]z$

bind-.*\.t[gx]z$

Quote:

Originally Posted by H_TeXMeX_H (Post 3848366)

Well thanks, but that didn't work,

Yes, that's my fault, I've never used that option before.

It would seem that that isn't the long key id.

To get the long form you have to use:

Code:

gpg --list-keys --with-colons

tru::1:1265037439:0:3:1:5

pub:-:1024:17:6A4463C040102233:2003-02-26:2012-12-21::-:Slackware Linux Project <security@slackware.com>::scaESCA:

sub:-:1024:16:768737F94E523569:2003-02-26:2012-12-21:::::e:

gazl@nix:~$

and then you can:

Code:

gazl@nix:$ gpg --trusted-key 6A4463C040102233  --verify zoo-2.10-x86_64-1.txz.asc

gpg: Signature made Tue 19 May 2009 21:55:53 BST using DSA key ID 40102233

gpg: key 40102233 marked as ultimately trusted

gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

gpg: depth: 0  valid:  1  signed:  0  trust: 0-, 0q, 0n, 0m, 0f, 1u

gpg: next trustdb check due at 2012-12-21

gpg: Good signature from "Slackware Linux Project <security@slackware.com>"

gazl@nix:$

... but as you see, you still get a lot of extra 'trust' guff, so it's not really much of an improvement.

update: actually, it seems that the --trusted-key thing is stored permanently, so next time you run the command without the --trusted-key it remembers and you just get the clean 2 line output, without the warnings. Interesting. I wasn't aware of that. I've only ever used the original pgp like features. I might have to play a little more with this newer stuff.

Aha, that works now, it needs the long key. Ok, thanks.

[QUOTE=GazL;3844123]I used to do it by checking the gpg signatures.

Something like:

Code:

#!/bin/bash

#update_slackware.sh

#Note: run this script as root from the local ./patches directory.



#Synchronize the local mirror with the remote mirror:

lftp -c "open slackware.mirrors.tds.net/pub/slackware/slackware64-13.0/patches/ ; mirror -e -n packages"



#Download the most recent CHECKSUMS.md5 file:

rm -f CHECKSUMS.md5

lftp -c "open slackware.mirrors.tds.net/pub/slackware/slackware64-13.0/patches/ ; get CHECKSUMS.md5"



#Check for MD5 checksum errors and exit if some are found.

if grep "\./packages/" CHECKSUMS.md5 | md5sum -c | grep -v OK$

  then echo "Script aborting. Try manually downloading the file(s) listed above"

  exit 1

fi



echo "No errors found; checking package signatures and updating packages."



#Check GPG signatures and upgrade Slackware with downloaded packages:

cd packages

for package in *.t?z.asc

do

  if gpg --verify "$package"

  then

    upgradepkg ${package%.asc}

  else

    echo "ERROR:  ${package%.asc} doesn't match signature file. Skipped!" 1>&2

  fi

done



#Find configuration files that need attention:

echo "Checking for new configuration files:"

find /etc -name "*.new"

I'm not at home right now, so I'll test this this evenint.

I also need to add a little bit to the top of the script to give credit where it's due.

Thanks for the help, everyone.

Regards,

You can also do what I did, which is faster and only check the CHECKSUMS.md5, then if that's good, check the md5sums on the packages.