Chapter 15. Package Management with RPM138• U — user• G — group• M — mode (includes permissions and file type)• ? — unreadable fileIf you see any output, use your best judgment to determine if you should remove or reinstall thepackage, or fix the problem in another way.15.3. Checking a Package's SignatureIf you wish to verify that a package has not been corrupted or tampered with, examine only themd5sum by typing the following command at a shell prompt ( with file name of the RPMpackage):rpm -K --nosignature The message : md5 OK is displayed. This brief message means that the file was notcorrupted by the download. To see a more verbose message, replace -K with -Kvv in the command.On the other hand, how trustworthy is the developer who created the package? If the package issigned with the developer's GnuPG key, you know that the developer really is who they say they are.An RPM package can be signed using Gnu Privacy Guard (or GnuPG), to help you make certain yourdownloaded package is trustworthy.GnuPG is a tool for secure communication; it is a complete and free replacement for the encryptiontechnology of PGP, an electronic privacy program. With GnuPG, you can authenticate the validity ofdocuments and encrypt/decrypt data to and from other recipients. GnuPG is capable of decrypting andverifying PGP 5.x files as well.During installation, GnuPG is installed by default. That way you can immediately start using GnuPG toverify any packages that you receive from Red Hat. First, you must import Red Hat's public key.15.3.1. Importing KeysTo verify Red Hat packages, you must import the Red Hat GPG key. To do so, execute the followingcommand at a shell prompt:rpm --import /usr/share/rhn/RPM-GPG-KEYTo display a list of all keys installed for RPM verification, execute the command:rpm -qa gpg-pubkey*For the Red Hat key, the output includes:gpg-pubkey-db42a60e-37ea5438To display details about a specific key, use rpm -qi followed by the output from the previouscommand:
