Every RPM package can be signed with a GPG key and has an MD5 hash inside its header so one can verify and validate a package. The first thing you must check is the presence of the GPG public key, you can only verify a signature if you have the right public key installed.
To install the keys, look at the directory /usr/share/rhn/, this is usually the place where GPG-KEYS are. The following command will import/install the key:
rpm --import /usr/share/rhn/GPG-KEY
The Fedora key is usually named "RPM-GPG-KEY-fedora" but you can import multiple keys if you want. To see the keys already installed on your system issue the command:
rpm -qi gpg-pubkey | more
And finally to verify(md5, sha1, gpg) a package issue the command:
rpm -K package.rpm
Here's an example output against the Iptables package:
# rpm -K /ftp/linux/fedora/1/updates/i386/iptables-1.2.9-1.0.i386.rpm /ftp/linux/fedora/1/updates/i386/iptables-1.2.9-1.0.i386.rpm: (sha1) dsa sha1 md5 gpg OK
 |
 |
 |
FN Site Search
FN Blog Login