Skip to main content
IBM  
Shop Support Downloads
IBM Home Products Consulting Industries News About IBM
IBM developerWorks : Linux : Education - Tutorials
LPI certification 102 exam prep, Part 1
ZIPPDF (letter)PDF (A4)e-mail
Main menuSection menuFeedbackPreviousNext
5. rpm, the (R)ed Hat (P)ackage (M)anager
  


Verifying the integrity of a package page 13 of 16


When you download an rpm from the Web or an ftp site, for the sake of security you may want to verify its integrity before installing. All rpms are "signed" with an MD5 sum. Additionally, some authors employ a PGP or GPG signature to further secure their packages. To check the signature of a package, you can use the --checksig option:


# rpm --checksig xsnow-1.41-1.i386.rpm
xsnow-1.41-1.i386.rpm: md5 GPG NOT OK

Wait a minute! According to that output, the GPG signature is NOT OK. Let's add some verbosity to see what's wrong:


# rpm --checksig -v xsnow-1.41-1.i386.rpm 
xsnow-1.41-1.i386.rpm:
MD5 sum OK: 8ebe63b1dbe86ccd9eaf736a7aa56fd8
gpg: Signature made Thu 10 May 2001 01:16:27 AM EDT using DSA key ID B1F6E46C
gpg: Can't check signature: public key not found

So, the problem is that we couldn't retrieve the author's public key. After we retrieve the public key from the package author's Website (shown in the output from rpm -qi), the signature checks out:


# gpg --import dan.asc
gpg: key B1F6E46C: public key imported
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: Total number processed: 1
gpg:               imported: 1

# rpm --checksig xsnow-1.41-1.i386.rpm 
xsnow-1.41-1.i386.rpm: md5 gpg OK

Main menuSection menuFeedbackPreviousNext
Privacy Legal Contact