Integrity of rpm Packeges

Hello all,

unfortunately I can’t find a way to check the integrity of the RPM packages.
Unfortunately all instructions lead to checks of tar archives.

• Verify Integrity of MongoDB Packages: https://www.mongodb.com/docs/manual/tutorial/verify-mongodb-packages/#verify-integrity-of-mongodb-packages
• Checksum for linux direct download: https://www.mongodb.com/community/forums/t/checksum-for-linux-direct-download/108739/2

I need this for (Mongo Server & shell. Version 4.2.21 Community Version for RHEL8 / Red Hat 8) rpm files.

KR
Denis

RPMs are signed packages.

The usual way of using them is configuring repository to your system and using rpm/dnf/yum to install the package which will add the signing key to your system and validate the package when downloaded.

If you REALLY want to do this semi manually.

#import key
rpm --import https://www.mongodb.org/static/pgp/server-4.2.asc

#download rpm
curl -OJ https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.2/x86_64/RPMS/mongodb-org-mongos-4.2.21-1.el8.x86_64.rpm 

#make a 'bad' copy
cp mongodb-org-mongos-4.2.21-1.el8.x86_64.rpm mongodb-org-mongos-4.2.21-1.el8.x86_64-notgood.rpm
dd if=/dev/zero count=1 seek=9160 conv=notrunc of=mongodb-org-mongos-4.2.21-1.el8.x86_64-notgood.rpm

#validate
rpm -K mongodb-org-mongos-4.2.21-1.el8.x86_64*.rpm
mongodb-org-mongos-4.2.21-1.el8.x86_64-notgood.rpm: DIGESTS SIGNATURES NOT OK
mongodb-org-mongos-4.2.21-1.el8.x86_64.rpm: digests signatures OK

You can also do it without importing the key.

rpm -K --nosignature mongodb-org-mongos-4.2.21-1.el8.x86_64*.rpm
mongodb-org-mongos-4.2.21-1.el8.x86_64-notgood.rpm: DIGESTS NOT OK
mongodb-org-mongos-4.2.21-1.el8.x86_64.rpm: digests OK

Thank you Chris!!!

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.