[TriLUG] Tsk Tsk Tsk...

Marty Ferguson marty.ferguson at pobox.com
Thu Oct 25 19:32:45 EDT 2001


Apparently Red Hat did not PGP sign some of the RPMs included 
in the 7.2 disribution.  These files are on various FTP sites, 
including ibiblio over at UNC.

See:

http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0019.html

I find the bullet down on this security briefing page to be particularly 
misleading:

http://www.info-sec.com/OSsec/OSsec_1.shtml

It's not untill after reading the full text of the article that the reader 
discovers that the warning isn't about the acutal Red Hat 7.2 distribution, 
but rather the inabilty to authentecate.  A subtlety like that is easily lost
in the popular press 

Actually, the only way to *really* *really* guarantee autheticity would be
to purchase a box set.  And in fact, how could we even verify the authenticity
of a box set sold at Best Buy?  Perhaps it is safest to purchase directly 
from the Red Hat web site...   ;-)

This blunder may lead to increased sales of the boxed set by those who
insist on having 7.2, but may lead to a smaller installed base of 7.2 due
to the problem of authentcation.

What, no $30 box set anymore?  
And ISO images of the $79 box set can't be easily authenticated?  

I suppose someone could do a binary compare ( cmp ) between known authentic
RH 7.2 media and the files on the various FTP sites. 

The bad thing about the unsigned RMPs is that rogue versions can be 
substituted by unscrupulous people. 

You can check the GPG key all by itself using the -K option in rpm:

========================== 
i've copied the zsh rpm into my home directory
i dd the file to copy it, leaving off the last byte of the file,
and i use rpm -K to check the original and the "bogus" version, test.rpm
==============

[marty at lx3 marty]$ ls -l zsh-3.0.8-8.i386.rpm 
-rw-r--r--    1 marty    marty      503936 Oct 25 14:18 zsh-3.0.8-8.i386.rpm
[marty at lx3 marty]$ rpm -K zsh-3.0.8-8.i386.rpm 
zsh-3.0.8-8.i386.rpm: md5 (GPG) OK (MISSING KEYS: GPG#DB42A60E) 
[marty at lx3 marty]$ dd if=zsh-3.0.8-8.i386.rpm of=test.rpm bs=1 count=503935
503935+0 records in
503935+0 records out
[marty at lx3 marty]$ rpm -K test.rpm             
error: test.rpm: rpmReadSignature failed

=============================

Regards,
Marty





More information about the TriLUG mailing list