Using The Red Hat Errata Website; Verifying Signed Packages - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Updating Packages

42.5.1.2. Using the Red Hat Errata Website

When security errata reports are released, they are published on the Red Hat Errata website available
at http://www.redhat.com/security/. From this page, select the product and version for your system,
and then select security at the top of the page to display only Red Hat Enterprise Linux Security
Advisories. If the synopsis of one of the advisories describes a package used on your system, click on
the synopsis for more details.
The details page describes the security exploit and any special instructions that must be performed in
addition to updating the package to fix the security hole.
To download the updated package(s), click on the link to login to Red Hat Network, click the package
name(s) and save to the hard drive. It is highly recommended that you create a new directory, such as
/tmp/updates, and save all the downloaded packages to it.

42.5.1.3. Verifying Signed Packages

All Red Hat Enterprise Linux packages are signed with the Red Hat, Inc. GPG key. GPG stands
for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of
distributed files. For example, a private key (secret key) held by Red Hat locks the package while the
public key unlocks and verifies the package. If the public key distributed by Red Hat does not match
the private key during RPM verification, the package may have been altered and therefore cannot be
trusted.
The RPM utility within Red Hat Enterprise Linux automatically tries to verify the GPG signature of an
RPM package before installing it. If the Red Hat GPG key is not installed, install it from a secure, static
location, such as an Red Hat Enterprise Linux installation CD-ROM.
Assuming the CD-ROM is mounted in /mnt/cdrom, use the following command to import it into the
keyring (a database of trusted keys on the system):
rpm --import /mnt/cdrom/RPM-GPG-KEY-redhat-release
To display a list of all keys installed for RPM verification, execute the following command:
rpm -qa gpg-pubkey*
For the Red Hat key, the output includes the following:
gpg-pubkey-37017186-45761324
To display details about a specific key, use the rpm -qi command followed by the output from the
previous command, as in this example:
rpm -qi gpg-pubkey-37017186-45761324
It is extremely important to verify the signature of the RPM files before installing them to ensure
that they have not been altered from the Red Hat, Inc. release of the packages. To verify all the
downloaded packages at once, issue the following command:
599