Verifying integrity of rpmdb entries
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Fri Feb 20 21:03:23 UTC 2015
I have been working with the python binding for rpm, and as I am sure everyone
is aware documentation for rpm on the developer level is a bit, thin.
I noticed some documentation updates from Florian a couple of months ago for
the RPM bindings, thanks so much.
Anyway, what I am looking for is a way to ensure the integrity of rpmdb
entries. Essentially I want assurance that the characteristics for a package
that is installed can be cryptographically proven to come from a signed
upstream source.
Now I know I can do this for rpm files themselves, however entries in the DB
are a bit hazier. There are hints that this signature checking occur
automatically from some sources, but I am still unsure. Methods like hdrCheck
look promising but again I am unsure.
So essentially what I am aiming to do is to look at a file entry in the rpm db,
view the hash, and be able to believe with a high degree of confidence that the
hash present for the file entry in the rpm db came from an upstream source,
i.e. the entry is signed.
Is something like this possible?
-Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.rpm.org/pipermail/rpm-list/attachments/20150220/e942edc3/attachment.asc>
More information about the Rpm-list
mailing list