Google Site SearchFN Site Search FN Blog Login FN Blog Login
Site Navigation:

All you have to know about RPM

by Alexandre de Abreu

How can I check digests and signatures against a package?

Every RPM package can be signed with a GPG key and has an MD5 hash inside its header so one can verify and validate a package. The first thing you must check is the presence of the GPG public key, you can only verify a signature if you have the right public key installed.

To install the keys, look at the directory /usr/share/rhn/, this is usually the place where GPG-KEYS are. The following command will import/install the key:

rpm --import /usr/share/rhn/GPG-KEY

The Fedora key is usually named "RPM-GPG-KEY-fedora" but you can import multiple keys if you want. To see the keys already installed on your system issue the command:

rpm -qi gpg-pubkey | more

And finally to verify(md5, sha1, gpg) a package issue the command:

rpm -K package.rpm

Here's an example output against the Iptables package:

# rpm -K /ftp/linux/fedora/1/updates/i386/iptables-1.2.9-1.0.i386.rpm 
/ftp/linux/fedora/1/updates/i386/iptables-1.2.9-1.0.i386.rpm: (sha1) dsa sha1 md5 gpg OK