Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
how to?: verify download .rpm versus your GPG public key; in ruby query klayout-version string
First, in a klayout ruby script, how to get the klayout-version as a string (similar as, but without launching a subprocess: klayout -b -v)?
Second, on download GPG public key usage, I must be doing it wrong. When I import your GPG public key, and query keys in rpm-db before/after I can see "a" new key. Using centos-7.
# diff /tmp/{old,new}keys
3a4
> gpg-pubkey-3785d040-59bcd300
but the Signature field of the downloaded rpm says none, and when using checksig, there is no GPG mention in the output (no change to checksig output before/after importing your GPG public key into the rpm-db). Below I try to dump sigs of a sampling of other releases.
URLs:
https://www.klayout.org/downloads/gpg-public.key
https://www.klayout.org/downloads/CentOS_7/klayout-0.26.11-0.x86_64.rpm
Thank you.
# rpm --checksig klayout-0.26.11-0.x86_64.rpm
klayout-0.26.11-0.x86_64.rpm: sha1 md5 OK
# rpm -qpi klayout-0.26.11-0.x86_64.rpm | grep ^Signature
Signature : (none)
# md5sum klayout-0.26.11-0.x86_64.rpm
ad0dfb8a98c0368b429fdbf975befd57 klayout-0.26.11-0.x86_64.rpm
# ls -v *.rpm | xargs -n 1 -t rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p
rpm -q --qf %{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n -p klayout-0.24.10-1.1.x86_64.rpm
warning: klayout-0.24.10-1.1.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID e8e680f0: NOKEY
klayout-0.24.10-3.1 (none) DSA/SHA1, Sat Apr 1 11:05:08 2017, Key ID 8c465e9ae8e680f0
rpm -q --qf %{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n -p klayout-0.26-0.x86_64.rpm
klayout-0.26-0 (none) (none)
rpm -q --qf %{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n -p klayout-0.26.3-0.x86_64.rpm
klayout-0.26.3-0 (none) (none)
rpm -q --qf %{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n -p klayout-0.26.8-0.x86_64.rpm
klayout-0.26.8-0 (none) (none)
rpm -q --qf %{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n -p klayout-0.26.11-0.x86_64.rpm
klayout-0.26.11-0 (none) (none)
Comments
Hi,
the version you can obtain with (Python):
Regarding the GPG key, RPMs are not signed currently due to a shift in the build strategy. I don't want to distribute my private key to open servers. You should build from source if you want to ensure integrity.
Matthias