SBDavid
Jun 4th, 2009
Jun 4th, 2009
Verifying Signed Packages using GNU Privacy Guard
Verifying Signed Packages using GNU Privacy Guard
GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by OS does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.
Assuming the disc is mounted in /mnt/cdrom, use the following command to import it into the keyring (a database of trusted keys on the system)
rpm –import /mnt/cdrom/RPM-GPG-KEY
To verify all the downloaded packages at once, issue the following command:
rpm -K /tmp/updates/*.rpm
For each package, if the GPG key verifies successfully, the command returns gpg OK.
