2

I wanted to install a package on CentOS 6 via rpm (e.g., the current epel-release).

EDIT: Of course I would always prefer the installation via yum but somehow I failed to get that specific package installed using this normal approach. As such, the EPEL/FAQ recommends below Version 2.

As I'm downloading the package through an insecure channel (http) I wanted to make sure that the integrity of the file is verified using information that is not provided with the downloaded file itself. Is this especially true for all of these approaches?

I've seen various approaches to this on the internet:

Version 1

rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

Version 2

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

Version 3

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
rpm --import https://fedoraproject.org/static/0608B895.txt
rpm -K epel-release-6-7.noarch.rpm
rpm -i epel-release-6-7.noarch.rpm

I do not know rpm very well, so I wondered how they might differ? My guess (after reading the manpage) is that

  • the first should only be used when the package is previously not installed,
  • the second would additionally remove previous versions of the package after installation,
  • the first two omit some verification steps before the actual installation that are done by rpm -K.

So my main questions at this point are

  • Are my guesses correct or am I missing something?
  • Is the rpm --import ... implicitly done for the first two approaches as well, and if not, isn't it necessary to do so after all?
  • Are these additional checks performed by rpm -K ... any relevant?
  • What is the best (most secure, most reliable, most maintainable, ...) way of installing packages via rpm in general?
moooeeeep
  • 123
  • 7

2 Answers2

1

First: man rpm.
Then: man yum.
(sometimes it's helpful to see it in HTML form)

In practice, I usually use the YUM framework to install new packages. In modern Red Hat/CentOS/Fedora systems, YUM satisfies package dependencies and handles the installation process.

If I do end up downloading an rpm file directly (via curl, wget or local build), my go-to rpm command line is:

rpm -ivh packagename.rpm

The -i is "install". The -v is "verbose". The -h is "hash", and displays a progress bar during installation.

[root@xt ~]# rpm -i ncdu-1.5-1.el5.x86_64.rpm 
<no output>

versus

[root@xt ~]# rpm -iv ncdu-1.5-1.el5.x86_64.rpm 
Preparing packages for installation...
ncdu-1.5-1.el5

versus 

[root@xt ~]# rpm -ivh ncdu-1.5-1.el5.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:ncdu                   ########################################### [100%]

rpm -i packagename.rpm does the job, but years of doing this have led to a natural tendency to use -ivh. Progress bars are nice.

The -U switch is for upgrading an existing package. Again, the use case for this is narrower since YUM can handle package updates as well. I typically only use -U if there's an error indicating conflicting files from a previously-installed RPM package.

I've never used rpm -K. I've not needed it in 12 years... It's meant to verify the actual rpm package file, but if you download from a signed YUM repository (via GPG key), I think an extra step of verification is unnecessary.

ewwhite
  • 197,159
  • 92
  • 443
  • 809
  • Thanks for your answer! Of course I would prefer yum at any time. But this approach was apparantly not available for that package. Please have a look at my edit. – moooeeeep Dec 12 '12 at 10:54
  • Either 1 or 2 works. I usually `wget` the EPEL file and install it locally, but there's no problem with what they've stated. – ewwhite Dec 12 '12 at 11:04
  • So, if I correctly understood, then the `vh` flags are just for visualisation, and the `K` issues the verification of the file after downloading through an insecure channel. I'm curious whether and what kind of verification is (silently) done or omitted for the plain installation commands (flags `i` or `U`). – moooeeeep Dec 12 '12 at 11:45
  • `-v` and `-h` are just visual installation progress indicators. `-K` is a verification step that doesn't do anything else. – ewwhite Dec 12 '12 at 14:42
  • If you use `yum localinstall filename.rpm` you don't get that annoying `yumdb has been altered outside of yum` warning. Also, dependency resolution. – Aaron Copley Dec 12 '12 at 16:41
1

Are my guesses correct or am I missing something?

Your assumptions are correct.

Is the rpm --import ... implicitly done for the first two approaches as well

No, it's not. No verification is done on the GPG signature of the package in the first two approaches. The package contains a signature, but it does not contain the key, so it is not really possible to be automatically done. Even yum does not automatically import GPG keys because it is up to the administrator to approve each key.

, and if not, isn't it necessary to do so after all?

It's a good idea. But you need to obtain the key from somewhere else (like by installing a -release package).

Are these additional checks performed by rpm -K ... any relevant?

rpm -K verifies all signatures in the package. This includes checksums (for unintentional corruption) and GPG signature, if present, for authenticity verification. The checksums are kind of checked when installing the package, but the GPG signature is up to you.

What is the best (most secure, most reliable, most maintainable, ...) way of installing packages via rpm in general?

Use yum. You can use yum to install a downloaded package, too. Once you wget the file and rpm --import the key, you can yum install epel-release-6-7.noarch.rpm the downloaded file from the local disk.

chutz
  • 7,888
  • 1
  • 29
  • 59