RPM Checksum

[dgouldin]

Can you publish checksums along with your RPM releases? I'd like some way to validate that the RPM I've downloaded is legitimate.

[michaelwittig]

Hi @dgouldin do you have any ideas how this usually works with rpms? I assume some kind of md5 hash is stored in a separate file but there is likely a standard that we can reuse for rpms?

[dgouldin]

I know RPMs do have a verification process, but I'm not sure what the internals look like. Just publishing an md5 hash on the release page or in a file in the same s3 bucket is probably good enough. This is basically what pypi does for python packages (example: https://pypi.python.org/pypi/cryptography/2.1.4 ). If you want to go the extra mile, the way the node.js community signs their shasum files is pretty nice (example: https://nodejs.org/dist/latest/SHASUMS256.txt.asc )

[ldormoy]

While researching about rpm package building, I stumbled upon this stack overflow answer:
https://stackoverflow.com/a/48239563

It describes a bit the checksum process for rpm. Hope that helps.

[michaelwittig]

@ldormoy I believe we have two kinds of checksums here. the stackoverflow discussion is about the checksum of the "source file" that is downloaded when the RPM is created. In our case, we download the zipped repo from GitHub.

@dgouldin is asking about a way to verify that the RPM that you download is the one that I published. it seems that RPMs come with a checksum and can be signed: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-check-rpm-sig