On #gobolinux last night an issue came up that has appeared occasionally before – the signature format for packages has changed between the 014.01 release and now, so the Scripts package won’t validate when you upgrade. The change was necessary to make for security, but it creates a problem for new installations trying to bring their tools up-to-date.
For those that don’t care for the fuss, and are willing to take the (very small) risk, you can just run SymlinkProgram Scripts 2.10.1 to activate the new package after installation fails with the validation error. Alternatively, you can upgrade piecewise through intermediate releases to get the fullest possible validation. The first stop should be 2.9.1, which will allow validating the latest package but does not include the version-validating code introduced for another problem. That will also be good enough for most people – the chance of a compromised mirror is pretty slight.
However for complete security you would need to validate the entire package as installed using a trusted signature from the CD release. Here’s a quick script to do that – it builds a verifiable checksum and validates it against the live system. The core code is embedded in a signed block using my key, with a small piece of code outside to verify the signature and execute the code automatically (not necessary, but the GPG command line to use the GoboLinux keyring is pretty long, so this makes it easier – you can copy the internal block out and validate manually if you prefer).
HopValidate will validate the Scripts 2.10.1 package using a known good checksum, preserving the chain of trust all the way. For full security, you should review the unsigned portion of the code, which uses the system keyring to validate the rest.
The manual command to decrypt is gpg –decrypt –no-default-keyring –keyring=/Programs/Scripts/Current/Data/gpg/goboring.gpg HopValidate, or –verify to verify the signature only. If you’re using this on Rootless, you’ll need to adjust the wrapper script and the command to use your local path to the Scripts directory – there’s no autodetection to keep the code easily reviewable.
[ed. 2010-01-31: Updated for 2.10.1]