I wanted to install a package on CentOS 6 via rpm
(e.g., the current epel-release
).
EDIT: Of course I would always prefer the installation via yum
but somehow I failed to get that specific package installed using this normal approach. As such, the EPEL/FAQ recommends below Version 2.
As I'm downloading the package through an insecure channel (http) I wanted to make sure that the integrity of the file is verified using information that is not provided with the downloaded file itself. Is this especially true for all of these approaches?
I've seen various approaches to this on the internet:
Version 1
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
Version 2
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
Version 3
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
rpm --import https://fedoraproject.org/static/0608B895.txt
rpm -K epel-release-6-7.noarch.rpm
rpm -i epel-release-6-7.noarch.rpm
I do not know rpm
very well, so I wondered how they might differ? My guess (after reading the manpage) is that
- the first should only be used when the package is previously not installed,
- the second would additionally remove previous versions of the package after installation,
- the first two omit some verification steps before the actual installation that are done by
rpm -K
.
So my main questions at this point are
- Are my guesses correct or am I missing something?
- Is the
rpm --import ...
implicitly done for the first two approaches as well, and if not, isn't it necessary to do so after all? - Are these additional checks performed by
rpm -K ...
any relevant? - What is the best (most secure, most reliable, most maintainable, …) way of installing packages via rpm in general?
Best Answer
Your assumptions are correct.
No, it's not. No verification is done on the GPG signature of the package in the first two approaches. The package contains a signature, but it does not contain the key, so it is not really possible to be automatically done. Even
yum
does not automatically import GPG keys because it is up to the administrator to approve each key.It's a good idea. But you need to obtain the key from somewhere else (like by installing a
-release
package).rpm -K
verifies all signatures in the package. This includes checksums (for unintentional corruption) and GPG signature, if present, for authenticity verification. The checksums are kind of checked when installing the package, but the GPG signature is up to you.Use
yum
. You can useyum
to install a downloaded package, too. Once youwget
the file andrpm --import
the key, you canyum install epel-release-6-7.noarch.rpm
the downloaded file from the local disk.