Checking A Package's Signature; Importing Keys - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 10. Package Management with RPM
• 5 — MD5 checksum
• S — file size
• L — symbolic link
• T — file modification time
• D — device
• U — user
• G — group
• M — mode (includes permissions and file type)
• ? — unreadable file
If you see any output, use your best judgment to determine if you should remove the package, reinstall
it, or fix the problem in another way.

10.3. Checking a Package's Signature

If you wish to verify that a package has not been corrupted or tampered with, examine only the
md5sum by typing the following command at a shell prompt (where <rpm-file> is the file name of
the RPM package):
rpm -K --nosignature <rpm-file>
The message <rpm-file>: md5 OK is displayed. This brief message means that the file was not
corrupted by the download. To see a more verbose message, replace -K with -Kvv in the command.
On the other hand, how trustworthy is the developer who created the package? If the package is
signed with the developer's GnuPG key, you know that the developer really is who they say they are.
An RPM package can be signed using Gnu Privacy Guard (or GnuPG), to help you make certain your
downloaded package is trustworthy.
GnuPG is a tool for secure communication; it is a complete and free replacement for the encryption
technology of PGP, an electronic privacy program. With GnuPG, you can authenticate the validity of
documents and encrypt/decrypt data to and from other recipients. GnuPG is capable of decrypting and
verifying PGP 5.x files as well.
During installation, GnuPG is installed by default. That way you can immediately start using GnuPG to
verify any packages that you receive from Red Hat. Before doing so, you must first import Red Hat's
public key.

10.3.1. Importing Keys

To verify Red Hat packages, you must import the Red Hat GPG key. To do so, execute the following
command at a shell prompt:
128