Integrity of rpm Packeges

Hello all,

unfortunately I can’t find a way to check the integrity of the RPM packages.
Unfortunately all instructions lead to checks of tar archives.

I need this for (Mongo Server & shell. Version 4.2.21 Community Version for RHEL8 / Red Hat 8) rpm files.

KR
Denis

RPMs are signed packages.

The usual way of using them is configuring repository to your system and using rpm/dnf/yum to install the package which will add the signing key to your system and validate the package when downloaded.

If you REALLY want to do this semi manually.

#import key
rpm --import https://www.mongodb.org/static/pgp/server-4.2.asc

#download rpm
curl -OJ https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.2/x86_64/RPMS/mongodb-org-mongos-4.2.21-1.el8.x86_64.rpm 

#make a 'bad' copy
cp mongodb-org-mongos-4.2.21-1.el8.x86_64.rpm mongodb-org-mongos-4.2.21-1.el8.x86_64-notgood.rpm
dd if=/dev/zero count=1 seek=9160 conv=notrunc of=mongodb-org-mongos-4.2.21-1.el8.x86_64-notgood.rpm

#validate
rpm -K mongodb-org-mongos-4.2.21-1.el8.x86_64*.rpm
mongodb-org-mongos-4.2.21-1.el8.x86_64-notgood.rpm: DIGESTS SIGNATURES NOT OK
mongodb-org-mongos-4.2.21-1.el8.x86_64.rpm: digests signatures OK





2 Likes

You can also do it without importing the key.

rpm -K --nosignature mongodb-org-mongos-4.2.21-1.el8.x86_64*.rpm
mongodb-org-mongos-4.2.21-1.el8.x86_64-notgood.rpm: DIGESTS NOT OK
mongodb-org-mongos-4.2.21-1.el8.x86_64.rpm: digests OK
1 Like

Thank you Chris!!! :kissing_heart:

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.