verifying the integrity of the source
carsten at rollinghorse.com
Sun Nov 10 01:37:20 PST 2002
At 00:54 10-11-02, you wrote:
>At 00:26 10-11-02, you wrote:
>>Carsten P. Gehrke wrote:
>>>How can I check the integrity of the OpneSSL package? I have downloaded
>>>the archive and the MD5 sum and signature files. If I try to use gpg
>>>--keyserver <keyserver> --verify openssl-0.9.6g.tar.gz.asc, I get some
>>>message about an unsupported public key algorithm, and the verification
>>>can't be done.
>>Try: md5sum openssl-0.9.6g.tar.gz
>> -- Bruce
>I checked that out already, they match. For additional security, I was
>going to use the gpg program, since it would be very difficult (perhaps
>even impossible) to forge that, while the md5sum could have been replaced
>by an attacker (although I did take the precaution of getting the sum from
>a different server than the source tarball.
>On a related note, does anyone know if gpg uses a special port? I
>installed gpg 1.2.1 on a machine with most ports blocked, and I can't seem
>to get any keyserver to respond.
I'm going to answer my own questions:
1) It seems that the newer gpg can handle the public keys used in the
OpenSSL signature. The version I used now is 1.2.1.
2) Yes, gpg uses the port pgpkeyserver 11371/tcp. Once I added rules to my
firewall which allowed traffic on that port, gpg worked fine.
Carsten Gehrke LFS No.: 190 using Linux since kernel 0.98
carsten at gehrke.org
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message
More information about the blfs-support