From: Justin Cormack (jpc1@doc.ic.ac.uk)
Date: Tue Apr 06 1999 - 09:58:21 EDT
>
> Ok, I would like to add to rpm2html output the information
> concerning PGP signature of package. So I would like to be able to
> find whether a given RPM has been PGP signed and if yes who signed
> it. Digging through rpm lib code I wasn't able to find an easy
> way to extract those information. I would be extremely grateful
> if one of the RPM format guru could give me hints on the way to
> extract those informations (without running pgp(1)), or even better
> a piece of code showing how to implement it :-)
I am not an expert on RPM format, but there are some problems.
You can't do it without running pgp. And you need to have a keyring with
all the public keys of the people you want to identify in it.
Simple example:
pinga% rpm --checksig --verbose jdk-sn-1.1.6-1.2glibc.i386.rpm
jdk-sn-1.1.6-1.2glibc.i386.rpm:
Header+Archive size OK: 8854130 bytes
Key matching expected Key ID DD2C67F1 not found in file '/homes/jpc1/.pgp/pubring.pgp'.
WARNING: Can't find the right public key-- can't check signature integrity.
Good signature from user "Justin Cormack <j.cormack@doc.ic.ac.uk>".
Signature made 1998/09/11 15:43 GMT using 1024-bit key, key ID 9428F57D
MD5 sum OK: 2086431012b97899c643f09aea144a31
All the info there is is the key ID and the actual signature, but the key
ID is not very helpful, it doesnt have a name attached I dont think
(and the name wouldn't be very trustworthy anyway).
So you will need to collect public keys for the signers, and run pgp. You
can get some public keys from RHCN and the distributors like redhat.
Justin
This archive was generated by hypermail 2b29 : Thu May 10 2001 - 18:40:10 EDT