Verifying Signed Packages using GNU Privacy Guard

GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by OS does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.
Assuming the disc is mounted in /mnt/cdrom, use the following command to import it into the keyring (a database of trusted keys on the system)

rpm –import /mnt/cdrom/RPM-GPG-KEY

To verify all the downloaded packages at once, issue the following command:

rpm -K /tmp/updates/*.rpm

For each package, if the GPG key verifies successfully, the command returns gpg OK.

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.