Previous: Verifying the Unpacked Archive, Up: Verifying the Distribution

4.3 Verifying Using Existing GNU Tools

Verifying manually is subject to the same constraints as verifying the unpacked archive, except for the existence of the checkdigest script and file list file catalog/dfiles/files. The steps below that check the payload message digests are typically the checks the checkdigest script would perform.

The first step is to unpack.

     rm -fr somepackage-1.0
     tar zxpf somepackage-1.0.tar.gz

The next step is try to re-create the signed byte stream and verify with gpg like this:

     tar cf - --format=ustar -b1 --numeric --owner=root --group=root \
     --exclude=catalog/dfiles/signature \
     somepackage-1.0/catalog  |
     gpg --verify somepackage-1.0/catalog/dfiles/signature -

Experimenting with the --format, --numeric, --owner, and --group options may be required to get a authentic byte stream. These options depend on how the distribution was created, specifically, the swign --format option and the PSF file_permissions directive. This is why a consistent file permissions policy and tar archive format are important.

Next, try to re-create the payload byte streams like this:

     tar cf - --format=ustar -b1 --numeric --owner=root --group=root \
     --exclude=somepackage-1.0/catalog \
     --exclude=somepackage-1.0/catalog/\* somepackage-1.0 | md5sum

Then compare this md5 to the contents of somepackage-1.0/catalog/dfiles/md5sum. Do the same thing for the sha1 digest. If the package contains a symbolic link then you will not be able to re-create these digests because the modification time cannot be preserved for this file type. This may be a good reason source packages not contain symbolic links.