> Rod, > > No, I don't think so, but it's not really necessary. If you do an "rpm > --checksig man.rpm" for instance (in the directory where the man.rpm file > exists) you should get something like this: > $ rpm --checksig man.rpm > man.rpm: size md5 OK > > That was against a SuSE package. Note that if the RPM file is also GPG > signed (and Red Hat's _are_ signed) then you'll see something like this > unless you have the proper GPG package installed and import the RPM-GPG-KEY > file from the Red Hat FTP server: > $ rpm --checksig zsh-4.0.2-2.s390.rpm > zsh-4.0.2-2.s390.rpm: size md5 GPG NOT OK > > Another option would be to do this: > rpm -Vp man.rpm --nofiles --nodeps > > If you get back nothing, then the package is OK. (I think. Anyone with > more experience want to confirm or deny this?)
The point of the CD image is I can run md5sum on the 650 Mbytes or so and get one (very long) number. If that matches the number published by the person who created the image, I don't have to worry much about the contents. If I download the individual components, I cannot create a verifiable image, if only because dates in the filesystem don't match (wget only matches the timestamp in the directory listing). I expect the order of files is impartant to the checksum calculation too. -- Cheers John Summerfield Microsoft's most solid OS: http://www.geocities.com/rcwoolley/ Note: mail delivered to me is deemed to be intended for me, for my disposition.
