32.3. Checking a Package's Signature
<rpm-file> with filename of the RPM package):
rpm -K --nogpg <rpm-file> |
You will see the message <rpm-file>: md5 OK. This brief message means that the file was not corrupted by the download. To see a more verbose message, replace -K with -Kvv in the command.
On the other hand, how trustworthy is the developer who created the package? If the package is signed with the developer's GnuPG key, you will know that the developer really is who they say they are.
An RPM package can be signed using Gnu Privacy Guard (or GnuPG), to help you make certain your downloaded package is trustworthy.
documents and encrypt/decrypt data to and from other recipients. GnuPG is capable of decrypting and verifying PGP 5.x files, as well.
to import Red Hat's public key.
32.3.1. Importing Keys
To verify official Red Hat packages, you must import the Red Hat GPG key. To do so, execute the following command at a shell prompt:
rpm --import /usr/share/rhn/RPM-GPG-KEY |
To display a list of all keys installed for RPM verification, execute the command:
rpm -qa gpg-pubkey* |
For the Red Hat key, the output will include:
gpg-pubkey-db42a60e-37ea5438 |
To display details about a specific key, use rpm -qi followed by the output from the previous command:
rpm -qi gpg-pubkey-db42a60e-37ea5438 |
32.3.2. Verifying Signature of Packages
To check the GnuPG signature of an RPM file after importing the builder's GnuPG key, use the following command (replace <rpm-file> with filename of the RPM package):
rpm -K <rpm-file> |
If all goes well, you will see the message: md5 gpg OK. That means that the signature of the package has been verified and that it is not corrupt.
 | Tip |
|---|---|
For more information about GnuPG, see Appendix B Getting Started with Gnu Privacy Guard. |
| Главная |