Skip to main content

How to check rpm integrity?

This post will help you to get answers of below questions-

How to check rpm integrity?
How to check rpm authenticity?
How to check rpm digital signature?
What is gpgcheck?

Let's take an example of below rpm package and see, how to verify if it is a genuine package?
[root@localhost tmp]# ls -l vsftpd-2.2.2-11.el6.x86_64.rpm
-r--r--r--. 1 root root 154392 Jan 27 10:27 vsftpd-2.2.2-11.el6.x86_64.rpm
[root@localhost tmp]#

There are multiple way to verify.
1. Verify using rpm
[root@localhost tmp]# rpm -q vsftpd
package vsftpd is not installed
[root@localhost tmp]#

[root@localhost tmp]# rpm -K vsftpd-2.2.2-11.el6.x86_64.rpm
vsftpd-2.2.2-11.el6.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#fd431d51)
[root@localhost tmp]#

If you want to see more details then use below options
[root@localhost tmp]# rpm -vvK vsftpd-2.2.2-11.el6.x86_64.rpm
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: opening  db environment /var/lib/rpm cdb:mpool:joinenv
D: opening  db index       /var/lib/rpm/Packages rdonly mode=0x0
D: locked   db index       /var/lib/rpm/Packages
D: opening  db index       /var/lib/rpm/Name rdonly mode=0x0
D: Expected size:       154392 = lead(96)+sigs(1284)+pad(4)+data(153008)
D:   Actual size:       154392
vsftpd-2.2.2-11.el6.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
    Header SHA1 digest: OK (8a138ba815b97261bb219862aa693cb71997716c)
    V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
    MD5 digest: OK (c15108a9cdc65ef530c45309fec98c63)
D: closed   db index       /var/lib/rpm/Name
D: closed   db index       /var/lib/rpm/Packages
D: closed   db environment /var/lib/rpm
[root@localhost tmp]#

Above output of both commands show that Package Signature ID is available but the key to verify rpm is not available.

All the Signature keys provided by Red Hat are stored in below directory
[root@localhost tmp]# cd /etc/pki/rpm-gpg/
[root@localhost rpm-gpg]# ls
RPM-GPG-KEY-redhat-beta  RPM-GPG-KEY-redhat-legacy-former  RPM-GPG-KEY-redhat-legacy-release  RPM-GPG-KEY-redhat-legacy-rhx  RPM-GPG-KEY-redhat-release
[root@localhost rpm-gpg]#

So import the main GPG-KEY
[root@localhost rpm-gpg]# rpm --import RPM-GPG-KEY-redhat-release
[root@localhost rpm-gpg]# rpm -K /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
/tmp/vsftpd-2.2.2-11.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
[root@localhost rpm-gpg]#
[root@localhost rpm-gpg]# rpm -vvK /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: opening  db environment /var/lib/rpm cdb:mpool:joinenv
D: opening  db index       /var/lib/rpm/Packages rdonly mode=0x0
D: locked   db index       /var/lib/rpm/Packages
D: opening  db index       /var/lib/rpm/Name rdonly mode=0x0
D:  read h#    1113 Header sanity check: OK
D: added key gpg-pubkey-fd431d51-4ae0493b to keyring
D:  read h#    1114 Header sanity check: OK
D: added key gpg-pubkey-2fa658e0-45700c69 to keyring
D: Using legacy gpg-pubkey(s) from rpmdb
D: Expected size:       154392 = lead(96)+sigs(1284)+pad(4)+data(153008)
D:   Actual size:       154392
/tmp/vsftpd-2.2.2-11.el6.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID fd431d51: OK
    Header SHA1 digest: OK (8a138ba815b97261bb219862aa693cb71997716c)
    V3 RSA/SHA256 Signature, key ID fd431d51: OK
    MD5 digest: OK (c15108a9cdc65ef530c45309fec98c63)
D: closed   db index       /var/lib/rpm/Name
D: closed   db index       /var/lib/rpm/Packages
D: closed   db environment /var/lib/rpm
[root@localhost rpm-gpg]#
Above output of both commands show that Package Signature ID is available and package integrity is OK. That means it is a genuine package so you can go ahead with installation and use as per your requirement.

Command to check available GPG-Keys
[root@localhost rpm-gpg]# rpm -qa |grep gpg
gpgme-1.1.8-3.el6.x86_64
gpg-pubkey-2fa658e0-45700c69
libgpg-error-1.7-4.el6.x86_64
pygpgme-0.1-18.20090824bzr68.el6.x86_64
gpg-pubkey-fd431d51-4ae0493b
[root@localhost rpm-gpg]#

Command to remove signature key if not required
[root@localhost rpm-gpg]# rpm -e gpg-pubkey-2fa658e0-45700c69
[root@localhost rpm-gpg]# rpm -e gpg-pubkey-fd431d51-4ae0493b
[root@localhost rpm-gpg]# rpm -qa |grep gpg
gpgme-1.1.8-3.el6.x86_64
libgpg-error-1.7-4.el6.x86_64
pygpgme-0.1-18.20090824bzr68.el6.x86_64
[root@localhost rpm-gpg]#

2. Verify rpm integrity using yum
[root@localhost tmp]# yum list vsftpd
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository 'my' is missing name in configuration, using id
Repository 'extra' is missing name in configuration, using id
extra                                                                                                                                        | 1.5 kB     00:00 ...
my                                                                                                                                           | 3.9 kB     00:00 ...
Available Packages
vsftpd.x86_64                                                                 2.2.2-11.el6_4.1                                                                 extra
[root@localhost tmp]#

[root@localhost rpm-gpg]# vim /etc/yum.repos.d/my.repo
[my]
baseurl=file:///media/RHEL_6.4\ x86_64\ Disc\ 1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

As of now there is no gpg key imported but as soon a you try to install any package at first time same will be imported.
[root@localhost rpm-gpg]# rpm -qa |grep gpg
gpgme-1.1.8-3.el6.x86_64
libgpg-error-1.7-4.el6.x86_64
pygpgme-0.1-18.20090824bzr68.el6.x86_64
[root@localhost rpm-gpg]#

[root@localhost rpm-gpg]# yum inall vsftpd
...........................
Total download size: 151 k
Installed size: 331 k
Is this ok [y/N]: y
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
 Userid : Red Hat, Inc. (release key 2) <security@redhat.com>
 Package: redhat-release-server-6Server-6.4.0.4.el6.x86_64 (@anaconda-RedHatEnterpriseLinux-201301301459.x86_64/6.4)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Importing GPG key 0x2FA658E0:
 Userid : Red Hat, Inc. (auxiliary key) <security@redhat.com>
 Package: redhat-release-server-6Server-6.4.0.4.el6.x86_64 (@anaconda-RedHatEnterpriseLinux-201301301459.x86_64/6.4)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : vsftpd-2.2.2-11.el6_4.1.x86_64                                                                                                                   1/1
  Verifying  : vsftpd-2.2.2-11.el6_4.1.x86_64                                                                                                                   1/1

Installed:
  vsftpd.x86_64 0:2.2.2-11.el6_4.1

Complete!
[root@localhost rpm-gpg]#

Also just adding to it, before install any package we must check pre and post install scripts as well. Some times an additional code of lines may added in it.

How to check-
[root@localhost ~]# rpm -qi --scripts  /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
package /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm is not installed
[root@localhost ~]#

-q option doesn't work if package is not installed, so we have to use -p option for the same.
[root@localhost ~]# rpm -pqi --scripts  /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
Name        : vsftpd                       Relocations: (not relocatable)
Version     : 2.2.2                             Vendor: Red Hat, Inc.
Release     : 11.el6                        Build Date: Fri 02 Mar 2012 06:12:21 PM IST
Install Date: (not installed)               Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: vsftpd-2.2.2-11.el6.src.rpm
Size        : 339284                           License: GPLv2 with exceptions
Signature   : RSA/8, Wed 09 May 2012 04:03:40 PM IST, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://vsftpd.beasts.org/
Summary     : Very Secure Ftp Daemon
Description :
vsftpd is a Very Secure FTP daemon. It was written completely from
scratch.
postinstall scriptlet (using /bin/sh):
/sbin/chkconfig --add vsftpd
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
 /sbin/service vsftpd stop > /dev/null 2>&1
 /sbin/chkconfig --del vsftpd
fi
[root@localhost ~]#

If rpm is already installed and keen to know about information of any package and pre/post install scripts.
[root@localhost ~]# rpm -qi --scripts  <package name>
[root@localhost ~]# rpm -qi --scripts  setup
Name        : setup                        Relocations: (not relocatable)
Version     : 2.8.14                            Vendor: Red Hat, Inc.
Release     : 20.el6                        Build Date: Tue 02 Oct 2012 07:23:59 PM IST
Install Date: Mon 03 Dec 2018 05:51:17 PM IST      Build Host: ppc-007.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: setup-2.8.14-20.el6.src.rpm
Size        : 665890                           License: Public Domain
Signature   : RSA/8, Tue 09 Oct 2012 11:57:56 AM IST, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : https://fedorahosted.org/setup/
Summary     : A set of system configuration and setup files
Description :
The setup package contains a set of important system configuration and
setup files, such as passwd, group, and profile.
postinstall scriptlet (using <lua>):
for i, name in ipairs({"passwd", "shadow", "group", "gshadow"}) do
     os.remove("/etc/"..name..".rpmnew")
end
[root@localhost ~]#

So what should be the correct approach to install a package in a system-
1.Check rpm signature
[root@localhost ~]# rpm -K /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
/tmp/vsftpd-2.2.2-11.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
[root@localhost ~]#
We can see that md5 OK status but still we should not install the package because it may be that accidentally/somehow  you have imported an untrusted gpg.

2. Check pre/post install script
[root@localhost ~]# rpm -pq --scripts /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
postinstall scriptlet (using /bin/sh):
/sbin/chkconfig --add vsftpd
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
 /sbin/service vsftpd stop > /dev/null 2>&1
 /sbin/chkconfig --del vsftpd
fi
[root@localhost ~]#

If both the checks are OK then only we should proceed with the installation.

Comments

Popular posts from this blog

error: db5 error(11) from dbenv->open: Resource temporarily unavailable

If rpm command is not working in your system and it is giving an error message( error: db5 error(11) from dbenv->open: Resource temporarily unavailable ). What is the root cause of this issue? How to fix this issue?   just a single command- [root@localhost rpm]# rpm --rebuilddb Detailed error message- [root@localhost rpm]# rpm -q firefox ^Cerror: db5 error(11) from dbenv->open: Resource temporarily unavailable error: cannot open Packages index using db5 - Resource temporarily unavailable (11) error: cannot open Packages database in /var/lib/rpm ^Cerror: db5 error(11) from dbenv->open: Resource temporarily unavailable error: cannot open Packages database in /var/lib/rpm package firefox is not installed [root@localhost rpm]# RPM manage a database in which it store all information related to packages installed in our system. /var/lib/rpm, this is directory where this information is available. [root@localhost rpm]# cd /var/lib/rpm ...

Failed to get D-Bus connection: Operation not permitted

" Failed to get D-Bus connection: Operation not permitted " - systemctl command is not working in Docker container. If systemctl command is not working in your container and giving subjected error message then simple solution of this error is, create container with -- privileged option and also provide init file full path  /usr/sbin/init [root@server109 ~]# docker container run -dit --privileged --name systemctl_not_working_centos1 centos:7 /usr/sbin/init For detailed explanation and understanding I am writing more about it, please have look below. If we have a daemon based program(httpd, sshd, jenkins, docker etc.) running inside a container and we would like to start/stop or check status of daemon inside docker then it becomes difficult for us to perform such operations , because by default systemctl and service  commands don't work inside docker. Normally we run below commands to check services status in Linux systems. [root@server109 ~]# systemctl status ...

AWS cloud automation using Terraform

In this post I'll create multiple resources in AWS cloud using Terraform . Terraform is an infrastructure as code( IAC ) software which can do lots of things but it is superb in cloud automation. To use Terraform we have write code in a high-level configuration language known as Hashicorp Configuration Language , optionally we can write code in JSON as well. I'll create below service using Terraform- 1. Create the key-pair and security group which allow inbound traffic on port 80 and 22 2. Launch EC2 instance. 3. To create EC2 instance use same key and security group which created in step 1 4. Launch Volume(EBS) and mount this volume into /var/www/html directory 5. Upload index.php file and an image on GitHub repository 6. Clone GitHub repository into /var/www/html 7. Create S3 bucket, copy images from GitHub repo into it and set permission to public readable 8 Create a CloudFront use S3 bucket(which contains images) and use the CloudFront URL to update code in /var/w...