locked
Is it possible to do RPM package signature verification in PowerShell? RRS feed

  • Question

  • ’m trying to do GPG signature validation to Centos 7 RPM files that I have downloaded. They are validated during the first download, but I am trying to another validation after they have been transferred to a Windows computer.

    Can PowerShell do a signature verification on the rpm packages?

    Tuesday, May 1, 2018 8:40 AM

Answers

All replies

  • You will have t ask the vendor for help.


    \_(ツ)_/

    Tuesday, May 1, 2018 8:57 AM
  • As Powershell is going cross-platform and there are Windows Subsystem for Linux support, Microsoft is one of the vendors also :).

    Tuesday, May 1, 2018 12:19 PM
  • You still need to post to the Centos forums for help with this.  It is not a scripting issue. 

    PowerShell has no specific support for file validation.  The Net Framework does but we have no idea what kind of a signature Centos uses on its packages.

    You can try this if Centos uses standard file signatures. Package validation usually means more than just the file signature.

    https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-authenticodesignature?view=powershell-6

    Here is the Centos forum if you need further help: https://www.centos.org/forums/

    Centos is NOT a Microsoft product and not supported by Microsoft.


    \_(ツ)_/

    • Marked as answer by Purkkapallo Tuesday, May 1, 2018 2:35 PM
    Tuesday, May 1, 2018 12:25 PM
  • I suppose you could check the hash of the rpm file with get-filehash, knowing what it's supposed to be in advance.


    • Edited by JS2010 Tuesday, May 1, 2018 9:22 PM
    Tuesday, May 1, 2018 9:21 PM
  • I suppose you could check the hash of the rpm file with get-filehash, knowing what it's supposed to be in advance.


    A file hash is not a file signature or security mechanism.  It is only used to validate that the contents of the file have a consistent hash value.  Authenticode and other software delivery security mechanisms use certificates which are mostly impossible to break and do not require a hash be saved and transferred.

    In software we want to validate the package and all of its contents plus make the package impossible to fake.

    The reason I said to contact the vendor is because vendors usually use "Authenticode" but some may use other mechanisms. If they use file hashes then it is not really a robust security mechanism.

    You can also right click on the package and see the Authenticode certificate in properties but an EXE or ZIP  wrapper will not tell you if the package is signed.


    \_(ツ)_/

    Tuesday, May 1, 2018 9:55 PM
  • Here is a quick overview of code signing and what types are available: https://en.wikipedia.org/wiki/Code_signing


    \_(ツ)_/

    Tuesday, May 1, 2018 9:57 PM