Verifying integrity of rpmdb entries

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Fri Feb 20 21:03:23 UTC 2015


I have been working with the python binding for rpm, and as I am sure everyone 
is aware documentation for rpm on the developer level is a bit, thin. 

I noticed some documentation updates from Florian a couple of months ago for 
the RPM bindings, thanks so much. 

Anyway, what I am looking for is a way to ensure the integrity of rpmdb 
entries. Essentially I want assurance that the characteristics for a package 
that is installed can be cryptographically proven to come from a signed 
upstream source. 

Now I know I can do this for rpm files themselves, however entries in the DB 
are a bit hazier. There are hints that this signature checking occur 
automatically from some sources, but I am still unsure. Methods like hdrCheck 
look promising but again I am unsure. 

So essentially what I am aiming to do is to look at a file entry in the rpm db, 
view the hash, and be able to believe with a high degree of confidence that the 
hash present for the file entry in the rpm db came from an upstream source, 
i.e. the entry is signed.

Is something like this possible?

-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.rpm.org/pipermail/rpm-list/attachments/20150220/e942edc3/attachment.asc>


More information about the Rpm-list mailing list