3.3. Checking a Package's Signature
If you wish to verify that a package has not been corrupted or tampered with, you can examine just the md5sum by entering this command at the shell prompt: (where <rpm_file>
is the file name of the RPM package):
rpm -K --nosignature <rpm_file>
The output <rpm_file>
: rsa sha1 (md5) pgp md5 OK
(specifically the OK part of it) indicates that the file was not corrupted during download. To see a more verbose message, replace -K
with -Kvv
in the command.
On the other hand, how trustworthy is the developer who created the package? If the package is signed with the developer's GnuPG key, you know that the developer really is who they say they are.
An RPM package can be signed using Gnu Privacy Guard (or GnuPG), to help you make certain your downloaded package is trustworthy.
GnuPG is a tool for secure communication; it is a complete and free replacement for the encryption technology of PGP, an electronic privacy program. With GnuPG, you can authenticate the validity of documents and encrypt/decrypt data to and from other recipients. GnuPG is capable of decrypting and verifying PGP 5.x
files as well.
During installation, GnuPG is installed by defaut, which enables you to immediately start using it to verify any packages that you download from the Fedora Project. Before doing so, you first need to import the correct Fedora key.
Fedora GnuPG keys are located in the /etc/pki/rpm-gpg/
directory. To verify a Fedora Project package, first import the correct key based on your processor architecture:
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-x86_64
To display a list of all keys installed for RPM verification, execute the command:
rpm -qa gpg-pubkey*
For the Fedora Project key, the output states:
gpg-pubkey-57bbccba-4a6f97af
To display details about a specific key, use rpm -qi
followed by the output from the previous command:
rpm -qi gpg-pubkey-57bbccba-4a6f97af