Hey look at this spooky key. Don't be frightened little one. Nothing scary is going to happen to you here. This is a safe place. As a matter of fact, if you stick around you might just learn a thing or two. A thing or two about GPG!
First off do any of us really know what GPG stands for? Well yes we do! It stands for GNU Privacy Guard. RPM Package creators use GPG to apply a digital signature to their packages. If a package was tampered with, then its GPG signature will no longer match what was placed in the original package.
First off to check what keys you have installed on your Linux server you can run the following rpm command as show in the example below.
[root@ip-172-31-22-45 ~]# rpm -qa gpg-pubkey
gpg-pubkey-0608b895-4bd22942
gpg-pubkey-fd431d51-4ae0493b
gpg-pubkey-2fa658e0-45700c69
Neet I have three keys installed. But lets say want to install another one. Well I can do so with the command below. In this example I have navigated to /etc/pki/rpm-gpg and am going to install the redhat beta key on my server.
[root@ip-172-31-22-45 rpm-gpg]# rpm –import RPM-GPG-KEY-redhat-beta
Hey that was fun. Now lets get our hands a bit dirtier.
Want to get more information on a specific key. Then this command is your huckleberry. Here you can see that this is the pubkey for the EPEL repo.
[root@ip-172-31-22-45 rpm-gpg]# rpm -qi gpg-pubkey-0608b895-4bd22942
Name : gpg-pubkey Relocations: (not relocatable)
Version : 0608b895 Vendor: (none)
Release : 4bd22942 Build Date: Sat 14 Jun 2014 09:13:58 AM EDT
Install Date: Sat 14 Jun 2014 09:13:58 AM EDT Build Host: localhost
Group : Public Keys Source RPM: (none)
Size : 0 License: pubkey
Signature : (none)
Summary : gpg(EPEL (6) <epel@fedoraproject.org>)
Description :
To verify signature of a downloaded package, use the rpm command as shown below. In this example I have highlighted the key that was used to sign this package.
# rpm -vK nautilus-dropbox-1.6.0-1.fedora.i386.rpm
nautilus-dropbox-1.6.0-1.fedora.i386.rpm:
Header V3 RSA/SHA1 Signature, key ID 5044912e: OK
Header SHA1 digest: OK (a4d51906633f92913db075ba33946f50999c245e)
V3 RSA/SHA1 Signature, key ID 5044912e: OK
MD5 digest: OK (1b8ff7abc18f68bf274e24fc57fd3a87)
Using the bolded information in the example above, I can then use this information to track down the exact key that was used to sign the package.
[root@localhost Downloads]# rpm -qa | grep 5044912e
gpg-pubkey-5044912e-4b7489b1
Is this awesome, well not really, but you never know when you might need to use this information. Like on a test. Wink Wink.
Related articles