verifying the integrity of the source

Carsten Gehrke carsten at rollinghorse.com
Sun Nov 10 01:37:20 PST 2002


At 00:54 10-11-02, you wrote:
>At 00:26 10-11-02, you wrote:
>>Carsten P. Gehrke wrote:
>>
>>>How can I check the integrity of the OpneSSL package?  I have downloaded 
>>>the archive and the MD5 sum and signature files.  If I try to use gpg 
>>>--keyserver <keyserver> --verify openssl-0.9.6g.tar.gz.asc, I get some 
>>>message about an unsupported public key algorithm, and the verification 
>>>can't be done.
>>
>>Try:  md5sum openssl-0.9.6g.tar.gz
>>  -- Bruce
>
>I checked that out already, they match.  For additional security, I was 
>going to use the gpg program, since it would be very difficult (perhaps 
>even impossible) to forge that, while the md5sum could have been replaced 
>by an attacker (although I did take the precaution of getting the sum from 
>a different server than the source tarball.
>
>On a related note, does anyone know if gpg uses a special port?  I 
>installed gpg 1.2.1 on a machine with most ports blocked, and I can't seem 
>to get any keyserver to respond.

I'm going to answer my own questions:

1) It seems that the newer gpg can handle the public keys used in the 
OpenSSL signature.  The version I used now is 1.2.1.

2) Yes, gpg uses the port pgpkeyserver 11371/tcp.  Once I added rules to my 
firewall which allowed traffic on that port, gpg worked fine.



-- 
Carsten Gehrke     LFS No.: 190    using Linux since kernel 0.98
carsten at gehrke.org

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list