3.1.3. Verifying Signed Packages

3.1.3. Verifying Signed Packages

All Red Hat Enterprise Linux packages are signed with the Red Hat, Inc. GPG key. GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) held by Red Hat locks the package while the public key unlocks and verifies the package. If the public key distributed by Red Hat does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.

The RPM utility within Red Hat Enterprise Linux automatically tries to verify the GPG signature of an RPM package before installing it. If the Red Hat GPG key is not installed, install it from a secure, static location, such as an Red Hat Enterprise Linux installation CD-ROM.

Assuming the CD-ROM is mounted in /mnt/cdrom, use the following command to import it into the keyring (a database of trusted keys on the system): 

         rpm --import /mnt/cdrom/RPM-GPG-KEY

To display a list of all keys installed for RPM verification, execute the following command: 

         rpm -qa gpg-pubkey*

For the Red Hat key, the output includes the following: 

         gpg-pubkey-db42a60e-37ea5438

To display details about a specific key, use the rpm -qi command followed by the output from the previous command, as in this example: 

         rpm -qi gpg-pubkey-db42a60e-37ea5438

It is extremely important to verify the signature of the RPM files before installing them to ensure that they have not been altered from the Red Hat, Inc. release of the packages. To verify all the downloaded packages at once, issue the following command: 

        rpm -K /tmp/updates/*.rpm

For each package, if the GPG key verifies successfully, the command returns gpg OK. If it doesn't, make sure you are using the correct Red Hat public key, as well as verifying the source of the content. Packages that do not pass GPG verfications should not be installed, as they may have been altered by a third party.

After verifying the GPG key and downloading all the packages associated with the errata report, install the packages as root at a shell prompt.


Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-4 because CentOS-4 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-4 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.