Verifying the Unpacked Archive - Creating and Verifying Tar Archives with Embedded GPG Signatures

Next: Verifying Using Existing GNU Tools, Previous: Verifying the Tar Archive File, Up: Verifying the Distribution

4.2 Verifying the Unpacked Archive

The ability to verify the unpacked form is subject to several limitations, chief among them is the package must unpack into a single directory, verification then takes place on that directory.

For example

     tar zxpf somepackage-1.0.tar.gz
     swverify -d  @:somepackage-1.0

Verifying in this way requires that tar be able to re-create the exact byte stream that existed in the original distribution.

There are many constraints on the ability to verify the unpacked archive. These restrictions do not apply when verifying the archive file itself. Here they are:

The file system must order directory entries like the Ext2 file system. (Ext3 file systems have this compatibility if dir_indexes are turned off. e.g. tune2fs -O ^dir_index /dev/device).
The package must unpack into a single directory.
The version of GNU tar must be compatible with the swpackage version used to make the package.
The file owners in the package are present on the system with the same ids.
Whether the package has file names longer than 99 bytes. (There have been intermittent deviations with GNU tar for certain long file names.)
The package contains checkdigest script <path>/catalog/dfiles/checkdigest
The package contains distribution file list <path>/catalog/dfiles/files (if the checkdigest script requires it, which it should).