If you wish to verify that a package has not been corrupted or tampered
with, examine only the md5sum by typing the following command at a shell
prompt (replace coolapp with the filename of your
RPM package):
rpm --checksig --nogpg coolapp-1.1-1.rpm |
You'll see the message coolapp-1.1-1.rpm: md5
OK. This brief message means that the file was not
corrupted by the download.
On the other hand, how trustworthy is the developer who created the
package? If the package is signed with the
developer's GnuPG key,
you'll know that the developer really is who they say they are.
An RPM package can be signed using
Gnu Privacy Guard (or
GnuPG), to help you make certain your
downloaded package is trustworthy.
GnuPG is a tool for secure communication; it
is a complete and free replacement for the encryption technology of
PGP, an electronic privacy program. With
GnuPG, you can authenticate the validity of
documents, and encrypt/decrypt data to and from other
recipients. GnuPG is capable of decrypting
and verifying PGP
5.x files, as well.
During the installation of Red Hat Linux, GnuPG is
installed by default. That way you can immediately start using
GnuPG to verify any packages that you receive
from Red Hat. First, you will need to import Red Hat's public key.
When you import a public key, you add that key to your
keyring (a file in which public and secret keys
are kept). Then, when you download a document or file from that
entity, you can check the validity of that document against the key
you added to your keyring.
To import a key, use the --import option. To
demonstrate, download and import Red Hat's public key. That way, any time
you want to validate a package from Red Hat, you will be able to check it
against the key you retrieved.
You can find Red Hat's key at http://www.redhat.com/about/contact.html. Using
your browser, download the key by pressing the [Shift]
key while you click on the download link, then click the
OK button to save the file (for example
redhat2.asc). Then, at the shell prompt, import the key
with the following command:
The resulting message tells you that the key was processed.
To check that the key was added, type gpg
--list-keys. You'll see the key you just downloaded from
Red Hat, as well as your own keys.
[newuser@localhost newuser]$ gpg --list-keys
/home/newuser/.gnupg/pubring.gpg
-----------------------------------------
pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc <security@redhat.com>
sub 2048g/961630A2 1999-09-23 |
 | Keys Do Not Have to be Links |
|---|
| | Sometimes, you will not be able to download a key from a
link. Keys are text files, so they can be moved to your machine in
any way a regular text file can be saved. As long as you know the
name and location of the file you saved, you can import it to your
keyring.
|
To check the GnuPG signature of an
RPM file after importing the builder's
GnuPG key, use the following command
(replace coolapp with the filename of your
RPM package):
rpm --checksig coolapp-1.1-1.rpm |
If all goes well, you will see the message: md5 gpg
OK. That means that the package is not
corrupt.
