verifying the integrity of the source

Carsten Gehrke carsten at rollinghorse.com
Sun Nov 10 00:54:40 PST 2002


At 00:26 10-11-02, you wrote:
>Carsten P. Gehrke wrote:
>
>>How can I check the integrity of the OpneSSL package?  I have downloaded 
>>the archive and the MD5 sum and signature files.  If I try to use gpg 
>>--keyserver <keyserver> --verify openssl-0.9.6g.tar.gz.asc, I get some 
>>message about an unsupported public key algorithm, and the verification 
>>can't be done.
>
>Try:  md5sum openssl-0.9.6g.tar.gz
>  -- Bruce

I checked that out already, they match.  For additional security, I was 
going to use the gpg program, since it would be very difficult (perhaps 
even impossible) to forge that, while the md5sum could have been replaced 
by an attacker (although I did take the precaution of getting the sum from 
a different server than the source tarball.

On a related note, does anyone know if gpg uses a special port?  I 
installed gpg 1.2.1 on a machine with most ports blocked, and I can't seem 
to get any keyserver to respond.



-- 
Carsten Gehrke     LFS No.: 190    using Linux since kernel 0.98
carsten at gehrke.org

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list