On Wed, 2006-06-14 at 17:33 -0700, karl at klxsystems.net wrote: > Thanks to everyone who responded earlier with locations of the RPM bits. > In thanks, here's a step-by-step of how I got things working. 6 minute > response by two separate people shows this is a thriving community. rad. > > This how-to covers my current method for installing Tripwire 2.3 on our > CentOS servers. It's working great,<snip> > (would be nice to have an MD5 checksum to verify this package is secure) Hope I'm not wasting your time here. I thought GPG signing was sufficient for this stuff!? I'm new at this stuff,but from "man yum.conf" there is this gpgcheck Either ‘1’ or ‘0’. This tells yum whether or not it should per- form a GPG signature check on packages. When this is set in the [main] section it sets the default for all repositories. This option also determines whether or not an install of a package from a local RPM file will be GPG signature checked. The default is ‘0’. In my yum.repos.d repo files, I have it enabled. Would this not satisfactorily accomplish what is needed? I presume you can run it manually if not using yum. I always use yum to do basic installs, but as stated, I'm pretty new to this stuff. Still spend an inordinate amount of time in mans, howtos, etc. <*sigh*> > > > 2. Install the Tripwire RPM: > rpm -ivh tripwire-2.3.1-21.i386.rpm Out of curiosity, I perused (lightly) "man rpm". Since it permits signing, I presume that it also depends on GPG for verification (along with other checks embedded in the processes?). From that I generated and ran this little script for N in $(rpm -qa gpg-pubkey*|sed -e 's/\.(none)//') ; do rpm -qi $N |less done to see if Karan had a key that I had imported. It revealed several instances of GPG signatures with this summary gpg(Karanbir Singh (http://www.karan.org/) <kbsingh at karan.org>) There must certainly have been instructions on either CentOS or Karanbir's site as I would not have enough knowledge of my own to get these set up... well maybe imported while using mail. That's possible. Ah! But I recall now when I first started I got failures because I had *not* imported keys (although I *thought* I had) for one of the repositories. I think that confirms that GPG does suffice for validation. Doesn't it? Anyway, I haven't reviewed the web sites for a long time, but I suspect the files are signed and I suspect that should meet the need. And I suspect that you need to do an rpm import of the keys? Instructions and keys are on the sites, IIRC. Something I'm missing, being ignorant and new and shameless about it? Anyway, here, all the repos had keys except atrpm, which I have not used, so I would not have done the rpm import yet for that. > <snip> > -karlski > <snip sig stuff> Hope I wasn't wasting your time. -- Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20060615/cdb9a09b/attachment-0005.sig>