[Wolves] RPM Download

James Turner james at turnersoft.co.uk
Mon Jun 14 12:10:22 BST 2004 

On Monday 14 Jun 2004 07:37, TriG wrote:
> Hi Mo,
>
> Mo Awkati wrote:
> > Hi Folk
> >
> > can anyone help with this issue. I want to Download
> > and RPM from a site (link below)but each time I try it
> > activates a tabbed page info about the RPM and
> > "Install with YAST" at the top. When I try to drag and
> > drop the link in Kget it downloads something like
> > "download.php" the download shows as an RPM icon in
> > the file manager. How can I get it to download the
> > RPM?
>
> With SUSE, YaST automatically tries to handle all RPM downloads, it
> assumes you wish to install the RPMs and tries to do that for you.

To disable this behaviour in Konqueror:

Click "Settings", "Configure Konqueror", "File Associations". On Red Hat, you 
need to select x-rpm within the "Applications" filetype category (may be 
slightly different on SuSE), and clear yast or whatever from the "Application 
Preference Order" box.

> > I am using SUSE 9.0, KDE, and Konqueror.
> >
> > The link: http://packman.links2linux.de/?action=124
>
> Do you have wget installed? If that is the link to download, you could
> wget it
> wget http://packman.blah

I sometimes to use wget for large files. You can right click and select "Copy 
link location" in Konqueror, then tap the middle mouse button in a terminal 
to paste it. A variation I often use is:

wget -T 45 -t 999 <URL>

(if the download stalls for >45 seconds, reconnect and try to resume from 
where it left off. Allow for upto 999 such failures before completely giving 
up.)

> I haven't looked at the link myself cos its 7:30 and im tired :s
>
> > this site is in German but there is an English version
> > click at the Union Jack at the top. What is the "asc"
> > link on the side???
>
> ASC is a something to do with PGP (Pretty Good Privacy) I think its
> their cert or something so that you know its valid, very much so like an
> MD5 sum.. Someone correct me if I'm wrong please

Correct. It's a PGP/GPG signature for the file, and is indeed used for 
checking that the file has not been corrupted or tampered with.

The signature is created by applying a "cryptographic hash function" to the 
file to produce a fixed length string of data called the message digest. The 
hash function is chosen such that finding another file with the same message 
digest is extremely difficult (and making an arbitrary change to the original 
file produces a completely different message digest). The message digest is 
then encrypted with the user's private key, transformed so that it only 
contains valid ASCII characters (so that it can be included in e-mail 
messages, etc) and an identifying header and footer added to produce a 
"signature".

The finished product might look something like this:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBAo95oiINmwFJ3ovoRAhQIAJ4sAbcISLfDPfUN70+yN4UF3JModwCgi5Iq
9cdaxTSoPD1XmCK7oJV3xiM=
=nVyQ
-----END PGP SIGNATURE-----

Someone downloading the file can recover the message digest from the signature 
with the user's public key and compare it with one they calculate from the 
file themselves, allowing them to see if it has changed since the original 
file was signed.

In summary

 - Comparing the message digests can be used to verify that the file is the 
same as when the original digest was calculated
 - Encrypting the message digest authenticates it (and hence authenticates the 
file itself) as originating from the same place as the public key.

The issue still remains of what is "the same place as the public key", and can 
it be trusted, but that, as they say, is another story.

James

More information about the Wolves mailing list