Checking the Integrity
All official Sauron releases are signed using GnuPG
with the following key:
pub 1024D/ED908D6A 2002-08-10 Timo Kokkonen <tjko@iki.fi>
Key fingerprint = 9168 CD7A 2F0A AB06 79D0 9BBA 9D08 A80C ED90 8D6A
This key is available from the keyservers or you can also download it from
here.
You should use this key (add it to you keyring)
to check that the sources or the RPMs you've downloaded are indeed the original
unmodified ones.
-
To check the integrity of of source (tar) files, download
the file and associated signature file (<filename>.sig)
and use gpg with --verify option to check the
signature. For example, to check the signature of the file
sauron-0.50.tar.gz you would use following command:
gpg --verify sauron-0.5.0.tar.gz.sig
-
To check the integrity of RPM (or SRPM) files, you can
simply use rpm command with option -K. For example
to check the signature of the file sauron-0.50-1.noarch.rpm
you would use following command:
rpm -K sauron-0.5.0-1.noarch.rpm
NOTE! with newer versions of RPM (v4.1 or later, found in RH8)
you will need to add the gpg public key into your rpm
database before you can check the GPG signatures.
This can be done using following command:
rpm --import <keyfile.txt>
(this wasn't necessary with earlier versions of RPM which
used the keys from your GPG keyring)
|