Centos – Verification of downloaded package with rpm

centosepelrpm

I wanted to install a package on CentOS 6 via rpm (e.g., the current epel-release).

EDIT: Of course I would always prefer the installation via yum but somehow I failed to get that specific package installed using this normal approach. As such, the EPEL/FAQ recommends below Version 2.

As I'm downloading the package through an insecure channel (http) I wanted to make sure that the integrity of the file is verified using information that is not provided with the downloaded file itself. Is this especially true for all of these approaches?

I've seen various approaches to this on the internet:

Version 1

rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

Version 2

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

Version 3

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
rpm --import https://fedoraproject.org/static/0608B895.txt
rpm -K epel-release-6-7.noarch.rpm
rpm -i epel-release-6-7.noarch.rpm

I do not know rpm very well, so I wondered how they might differ? My guess (after reading the manpage) is that

  • the first should only be used when the package is previously not installed,
  • the second would additionally remove previous versions of the package after installation,
  • the first two omit some verification steps before the actual installation that are done by rpm -K.

So my main questions at this point are

  • Are my guesses correct or am I missing something?
  • Is the rpm --import ... implicitly done for the first two approaches as well, and if not, isn't it necessary to do so after all?
  • Are these additional checks performed by rpm -K ... any relevant?
  • What is the best (most secure, most reliable, most maintainable, …) way of installing packages via rpm in general?

Best Answer

Are my guesses correct or am I missing something?

Your assumptions are correct.

Is the rpm --import ... implicitly done for the first two approaches as well

No, it's not. No verification is done on the GPG signature of the package in the first two approaches. The package contains a signature, but it does not contain the key, so it is not really possible to be automatically done. Even yum does not automatically import GPG keys because it is up to the administrator to approve each key.

, and if not, isn't it necessary to do so after all?

It's a good idea. But you need to obtain the key from somewhere else (like by installing a -release package).

Are these additional checks performed by rpm -K ... any relevant?

rpm -K verifies all signatures in the package. This includes checksums (for unintentional corruption) and GPG signature, if present, for authenticity verification. The checksums are kind of checked when installing the package, but the GPG signature is up to you.

What is the best (most secure, most reliable, most maintainable, ...) way of installing packages via rpm in general?

Use yum. You can use yum to install a downloaded package, too. Once you wget the file and rpm --import the key, you can yum install epel-release-6-7.noarch.rpm the downloaded file from the local disk.

Related Topic