Red Hat LINUX 7.2 - OFFICIAL LINUX CUSTOMIZATION GUIDE Manual page 255

Section 25.3:Checking a Package's Signature
25.3.1 Importing Keys
When you import a public key, you add that key to your keyring (a file in which public and secret keys
are kept). Then, when you download a document or file from that entity, you can check the validity of
that document against the key you added to your keyring.
To import a key, use the --import option. To demonstrate, download and import Red Hat's public
key. That way, any time you want to validate a package from Red Hat, you will be able to check it
against the key you retrieved.
You can find Red Hat's key at http://www.redhat.com/about/contact.html. Using your browser, down-
load the key by pressing the
to save the file (for example redhat2.asc). Then, at the shell prompt, import the key with the
following command:
gpg --import redhat2.asc
The resulting message tells you that the key was processed. To check that the key was added, type
gpg --list-keys. You'll see the key you just downloaded from Red Hat, as well as your own
keys.
[newuser@localhost newuser]$ gpg --list-keys
/home/newuser/.gnupg/pubring.gpg
-----------------------------------------
pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc <security@redhat.com>
sub 2048g/961630A2 1999-09-23
Sometimes, you will not be able to download a key from a link. Keys are text
files, so they can be moved to your machine in any way a regular text file can
be saved. As long as you know the name and location of the file you saved,
you can import it to your keyring.
25.3.2 Verifying Packages
To check the GnuPG signature of an RPM file after importing the builder's GnuPG key, use the
following command (replace coolapp with the filename of your RPM package):
rpm --checksig coolapp-1.1-1.rpm
If all goes well, you will see the message: md5 gpg OK. That means that the package is not corrupt.
key while you click on the download link, then click the
[Shift]
Keys Do Not Have to be Links
255
button
OK