Gentoo Archives: gentoo-user

From: James <wireless@×××××××××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] package download verification
Date: Wed, 07 May 2014 05:23:55
Message-Id: loom.20140507T071126-552@post.gmane.org
So,

Since (forever) I have manually checked the .Digest and such using
openssl or gpg, not unlike what is in the gentoo handbook.

This is retarded, and I'm too old to do that now, so I went shopping
for some script/tool/code to do it for me. I sure that a sinlple
script with diff would be sufficient to compare the download hash
against the one openssl generates... In fact, I do not know
why the integrity check is not fully integrated into ftp. rsync.
or whatever the download tool is?

If futher suspicion warrants, I can always perform a manual spot check,
but some integrated integrity should be part of the download process?



But why not just use a simple script:

<scriptname> package.just.downloaded package.just.downloaded.DIGESTS

and have it return:

<ok or match or corrupted>

After all this is intuitively obviously, when I burn a cd/dvd
and is an integrated option.

???

So I found this python script  "verify.py"

https://bbs.archlinux.org/viewtopic.php?id=83839


Sure there is a slicker, newer, better  scheme?
Pardon my (lazy) ignorance here..... 


James

Replies

Subject Author
Re: [gentoo-user] package download verification Alan McKinnon <alan.mckinnon@×××××.com>