When you download an rpm from the Web or an ftp site, for the sake of security
you may want to verify its integrity before installing. All rpms are "signed"
with an MD5 sum. Additionally, some authors employ a PGP or GPG signature to
further secure their packages. To check the signature of a package, you can
use the --checksig option:
# rpm --checksig xsnow-1.41-1.i386.rpm
xsnow-1.41-1.i386.rpm: md5 GPG NOT OK
Wait a minute! According to that output, the GPG signature is NOT OK.
Let's add some verbosity to see what's wrong:
# rpm --checksig -v xsnow-1.41-1.i386.rpm
xsnow-1.41-1.i386.rpm:
MD5 sum OK: 8ebe63b1dbe86ccd9eaf736a7aa56fd8
gpg: Signature made Thu 10 May 2001 01:16:27 AM EDT using DSA key ID B1F6E46C
gpg: Can't check signature: public key not found
So, the problem is that we couldn't retrieve the author's public key. After we
retrieve the public key from the package
author's Website (shown in the output from rpm -qi), the signature checks
out:
# gpg --import dan.asc
gpg: key B1F6E46C: public key imported
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: Total number processed: 1
gpg: imported: 1
# rpm --checksig xsnow-1.41-1.i386.rpm
xsnow-1.41-1.i386.rpm: md5 gpg OK