verifiy vendor signed hashed for packages

Latest response

Looking to see if there's away to verify and vendors signed hashed on rpm packages for authenticity?



If you are installing the package via yum, ensure that the package repository definition in /etc/yum.repos.d has


This will ensure that the gpg signature of the package is validated before installing (and will prompt the user if it doesn't match, or the key isn't available).

Cynthia - This is a good question, and something I guess I really have taken for granted.

If you are asking how to check authenticity of the files/binaries after a package/rpm has been installed? That is a tough one (I think). There are some global checks that do a good job - such as...

rpm -qaV

but.. that analyses the files, not the rpms. If you discover a file that has a "5" in the output, you can then do

yum whatprovides /bin/ps
rpm -Vv procps-ng

I did some investigation regarding RPMs and I feel fairly comfortable that what I am about to post is valid/accurate (someone please chime in if I missed something or got it wrong).

## I will first add Google repo to my system
# cat << EOF > /etc/yum.repos.d/google-x86_64.repo
name=Google - x86_64

## See what GPG Public Keys are currently installed/imported
[root@websrv ~]# rpm -qa gpg-pubkey*
## Import Google's GPG Key
[root@websrv ~]# rpm --import
## Now see what GPG Public Keys are installed (notice the difference)
##  Also... take note that there are 2 fields in the rpm name
[root@websrv ~]# rpm -qa gpg-pubkey*

##  Display Information about the the GPG Key 
# rpm -qi gpg-pubkey-7fac5991-4615767f
Name        : gpg-pubkey                   Relocations: (not relocatable)
Version     : 7fac5991                          Vendor: (none)
Release     : 4615767f                      Build Date: Sun 19 Oct 2014 06:32:47 PM EDT
Install Date: Sun 19 Oct 2014 06:32:47 PM EDT      Build Host: localhost
Group       : Public Keys                   Source RPM: (none)
Size        : 0                                License: pubkey
Signature   : (none)
Summary     : gpg(Google, Inc. Linux Package Signing Key <>)
Description :

## Notice that the rpm naming format is

# yum clean all
# yum -y install yum-downloadonly
# yum --downloadonly --downloaddir=/var/tmp/Google/ install google-chrome
# cd /var/tmp/Google/
# rpm --checksig ./google-chrome-unstable-40.0.2188.2-1.x86_64.rpm 
./google-chrome-unstable-40.0.2188.2-1.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK
# -- Check the MD5 Signature
# rpm -K --nosignature ./google-chrome-unstable-40.0.2188.2-1.x86_64.rpm 
./google-chrome-unstable-40.0.2188.2-1.x86_64.rpm: sha1 md5 OK
# -- Check all the Signature(s)
# rpm -K ./google-chrome-unstable-40.0.2188.2-1.x86_64.rpm 
./google-chrome-unstable-40.0.2188.2-1.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK

##  NOW - check the "key ID" value and compare it to the "Version" value obtained by doing the rpm -qi above
# rpm -Kv ./google-chrome-unstable-40.0.2188.2-1.x86_64.rpm 
    Header V4 DSA/SHA1 Signature, key ID 7fac5991: OK
    Header SHA1 digest: OK (db5bd0db533bff8079796ec3274cf6dd6c2b777d)
    MD5 digest: OK (e32edc443d1eeef1573f2a748f1a684d)
    V4 DSA/SHA1 Signature, key ID 7fac5991: OK

I even added an example ;-)
I'm going to purpose "taint" one of the files, in this case the desktop shortcut

## First validate
[root@neo ~]# rpm -V google-chrome-unstable
## Now break
[root@neo ~]# echo "" >> /usr/share/applications/google-chrome-unstable.desktop
## Confirm it picks up the change
[root@neo ~]# rpm -V google-chrome-unstable
S.5....T.    /usr/share/applications/google-chrome-unstable.desktop
## "Fix" my mess..
[root@neo ~]# yum -y reinstall google-chrome
## Check again - all better
[root@neo ~]# rpm -V google-chrome-unstable
[root@neo ~]#