aws-ec2-ssh icon indicating copy to clipboard operation
aws-ec2-ssh copied to clipboard

Published 20 hours ago verified publisher icon widdix

RPM Checksum

Open dgouldin opened this issue 7 years ago • 4 comments

Can you publish checksums along with your RPM releases? I'd like some way to validate that the RPM I've downloaded is legitimate.

dgouldin avatar Feb 07 '18 17:02 dgouldin

Hi @dgouldin do you have any ideas how this usually works with rpms? I assume some kind of md5 hash is stored in a separate file but there is likely a standard that we can reuse for rpms?

michaelwittig avatar Feb 07 '18 18:02 michaelwittig

I know RPMs do have a verification process, but I'm not sure what the internals look like. Just publishing an md5 hash on the release page or in a file in the same s3 bucket is probably good enough. This is basically what pypi does for python packages (example: https://pypi.python.org/pypi/cryptography/2.1.4 ). If you want to go the extra mile, the way the node.js community signs their shasum files is pretty nice (example: https://nodejs.org/dist/latest/SHASUMS256.txt.asc )

dgouldin avatar Feb 07 '18 20:02 dgouldin

While researching about rpm package building, I stumbled upon this stack overflow answer: https://stackoverflow.com/a/48239563

It describes a bit the checksum process for rpm. Hope that helps.

ldormoy avatar Feb 07 '18 22:02 ldormoy

@ldormoy I believe we have two kinds of checksums here. the stackoverflow discussion is about the checksum of the "source file" that is downloaded when the RPM is created. In our case, we download the zipped repo from GitHub.

@dgouldin is asking about a way to verify that the RPM that you download is the one that I published. it seems that RPMs come with a checksum and can be signed: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-check-rpm-sig

michaelwittig avatar Feb 09 '18 10:02 michaelwittig