Quote:
As for md5. I believe that though engineering a md5 collision is possible, it's not all that easy or practical, and the most likely attack would be for the .md5 file itself to be replaced along with the file it relates to. A simple approach to protect against this is to always get the .md5 file and the package itself from different mirrors. I do this myself wherever a pgp signature isn't made available. I've also seen projects that pgp clearsign the md5sums rather than the individual packages so you know the md5sums will be good without them needing to generate a pgp signature for every file/package. However, where the pgp signatures are available it makes sense to use them for the added protection. |
We do both and hence CHECKSUMS.md5.asc
|
Quote:
|
Um, bit of a problem here:
Code:
bash-3.1$ gpg --import GPG-KEY |
Why does it say what? Looks pretty standard output to me :scratch:
|
I think he means this part:
Code:
gpg: WARNING: This key is not certified with a trusted signature! |
It's because the key hasn't been signed by anyone you trust. It's just a warning that you can't be certain the key is valid.
If you want to sign it yourself, to indicate that you know where it's come from and trust it to be good, you can use "gpg --lsign-key 40102233" This will have required you to setup your own signing key to do. I think there are also some options you can set to disable these warning, but I've always done it this way, as the warning are there for a reason. |
Oh, ok, I get it, so it did work. Looks like I haven't used gpg in a while.
|
Just looked it up....
adding "--trusted-key 40102233" to the gpg command should be enough if you don't want to have to go to the trouble of creating a secret key and signing the key yourself. I usually create a root@hostname key pair on each of my boxes that I use for the life of the system, for signing purposes. I usually set its passphrase to be the same as the root password so that I don't forget it. errata: see post 74. I got the command slightly wrong above. |
Thanks GazL for both above posts. That explains things much better than the gpg man page! I've never bothered before, but may just do one of these things.
|
Well thanks, but that didn't work, but I don't care too much, because it does return the right value and that's what matters, it succeeds even if it isn't trusted (like I care).
Anyway here's the final script, for now, but I will only be modifying it to add bug fixes and maybe some requested features, but so far it supports a blacklist, gpg, md5sum, and all that. It downloads only packages that you don't have installed. Code:
#!/bin/sh Code:
mozilla-firefox-.*\.t[gx]z$ |
Quote:
It would seem that that isn't the long key id. To get the long form you have to use: Code:
gpg --list-keys --with-colons Code:
gazl@nix:$ gpg --trusted-key 6A4463C040102233 --verify zoo-2.10-x86_64-1.txz.asc update: actually, it seems that the --trusted-key thing is stored permanently, so next time you run the command without the --trusted-key it remembers and you just get the clean 2 line output, without the warnings. Interesting. I wasn't aware of that. I've only ever used the original pgp like features. I might have to play a little more with this newer stuff. |
Aha, that works now, it needs the long key. Ok, thanks.
|
[QUOTE=GazL;3844123]I used to do it by checking the gpg signatures.
Something like: Code:
#!/bin/bash I also need to add a little bit to the top of the script to give credit where it's due. Thanks for the help, everyone. Regards, |
You can also do what I did, which is faster and only check the CHECKSUMS.md5, then if that's good, check the md5sums on the packages.
|
All times are GMT -5. The time now is 05:19 PM. |