Googling for "rpm sign key import" - the 3rd entry gives me the following cluestick -
https://rhn.redhat.com/help/reference/s1-text-up2date.html Depending on hold your system is, you simply run "rpm --import the_public_gpg_key" or "gpg --import the_public_gpg_key" You can check who/if your package is signed before installing just run "rpm --checksig my_new_package.rpm" If you choose to install a package from a non-default repository, like Dag's, you will always need to get the public that matches the private key that signed the package. (The Redhat keys are installed in the OS when you install - they are also updated occasionaly by your package manager) The whole point of package signing is demonstrating trust. By downloading a package from Dag's site you are electing to use him as a provider of some code or information. So you already have some element of trust in him. If you choose to install it then you are also trusting the delivery mechanism - his server integrity, the network between you and him, etc. If you are not sure that this is integrity is up to what you need, then you need to verify that in fact it was Dag that created the RPM that you have. To do this you obtain the public key that he has created from his private key. He also has signed the package with his private key. By installing his public key and running "rpm --checksig" you can at least be sure that the RPM was signed by the same private key that is the public key installed on the MIT keyserver. The only thing you haven't verified is that MIT are in fact holding Dag's real public key. One way to do this, is to contact Dag directly, and verify that he is who he says he is and that the "fingerprint" or "keyid" that he as matches what you have downloaded. Clearly this can be difficult if you don't know Dag. The other way is investigate the "web of trust" that he has for his public key. This is the hierarchy of people that have verified and signed his key and vetted the person against the key. Assuming you trust someone in the "web of trust" that has signed a key of someone that has signed a key of someone that has signed a key of someone ....... then you can make a judgement whether to accept his key. (I'll leave it as an exercise for you to have a look at how GPG/PGP works. There maybe others on the SLUG list that may wish to correct/amplify what I have said - I am more a theoritician when it comes to GPG/PGP, never having a real burning need to use it in anger - but I should really use it a bit to get more geek cred :-) ) Anyway , assuming you trust MIT, then you only need to follow the instructions above. On 7/17/06, Voytek Eymont <[EMAIL PROTECTED]> wrote:
On Mon, July 17, 2006 12:27 am, Martin Visser wrote: > Looking up on the MIT keyserver with > http://pgp.mit.edu:11371/pks/lookup?search=dag+wieers&op=index > Type bits /keyID Date User ID > pub 1024D/6B8D79E6 2003/08/24 Dag Wieers (Dag Apt Repository v1.0) > <[EMAIL PROTECTED]> > pub 1024D/A838A2DA 1997/06/22 Dag Wieers <[EMAIL PROTECTED]> pub 512R/51BFC045 > 1997/03/16 Dag Wieers <[EMAIL PROTECTED]> > Looks like the first matches what you want. thanks, Martin what do I use to import it ? how do I determine before installing that I need a key ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
-- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
