Note: All the commands tested on CentOs 5.x. Your output may be vary depending
on distribution and version, so your results may not always look exactly like
the listings and figures shown here. Almost all everything works well on
RHEL/CentOs/Fedora.
Why to check signature of an rpm:
The signature confirms that the package was signed by an authorized party and
also confirm the integrity and origin of your file. It is extremely important
to verify the signature of the RPM files before installing them to ensure that
they have not been altered from the original source of the packages.
Checking a package's Signature:
The --checksig(or -K) option checks all the digests and signatures contained
in PACKAGE_FILE to ensure the integrity and origin of the package. Note that
signatures are now verified whenever a package is read, and --checksig is useful
to verify all of the digests and signatures associated with a package.
If you wish to verify that a package has not been corrupted or tampered with,
examine only the md5sum by typing the following command at a shell prompt (where
<rpm-file> is the file name of the RPM package):
rpm -K --nosignature <rpm-file>
The message <rpm-file>: md5 OK is displayed. This brief message means
that the file was not corrupted by the download. To see a more verbose message,
replace -K with -Kvv in the command.
For demonstration purpose I downloaded createrepo package from CentOs mirror
and used in examples.
[root@localhost ~]# rpm -K --nosignature createrepo-0.4.11-3.el5.noarch.rpm
createrepo-0.4.11-3.el5.noarch.rpm: sha1 md5 OK
On the other hand, how trustworthy is the developer who created the package? If
the package is signed with the developer's GnuPG key,you know that the developer
really is who they say they are.
An RPM package can be signed using Gnu Privacy Guard (or GnuPG), to help you
make certain your downloaded package is trustworthy. GnuPG is a tool for secure
communication; it is a complete and free replacement for the encryption technol-
ogy of PGP, an electronic privacy program. With GnuPG, you can authenticate the
validity of documents and encrypt/decrypt data to and from other recipients.
GnuPG is capable of decrypting and verifying PGP 5.x files as well.
During installation,GnuPG is installed by default. That way you can immediately
start using GnuPG to verify any packages that you receive from CentOs(RHEL/Fedor
a). Before doing so, you must first import CentOs's public key. If you not impo-
rted correct public key, you will get following error message.
[root@localhost ~]# rpm -K createrepo-0.4.11-3.el5.noarch.rpm
createrepo-0.4.11-3.el5.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING
KEYS: GPG#e8562897)
Here the GPG in parentheses indicates that there's a problem with the signature,
and the message at the end of the line (MISSING KEYS) shows what the problem is.
Basically, RPM asked GPG to verify the package against a key(GPG#e8562897) that
GPG didn't have, and GPG complained. It means you missed the correct public key.
How to import public keys:
Digital signatures cannot be verified without a public key. An ascii armored
public key can be added to the rpm database using --import. An imported public
key is carried in a header, and key ring management is performed exactly like
package management. For example, all currently imported public keys can be
displayed by:
rpm -qa gpg-pubkey*
To verify CentOs (RHEL/Fedora) packages, you must import the CentOs(RHEL/Fedora)
GPG key. To do so, execute the following command at a shell prompt:
[root@localhost ~]# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
This will create duplicate copies if one already exists.
To display a list of all keys installed for RPM verification,execute the command
[root@localhost ~]# rpm -qa gpg-pubkey*
gpg-pubkey-e8562897-459f07a4
or
RPM has the capacity to retrieve the key from a Mirror:
[root@ ~]# rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
[root@ ~]# rpm -qa gpg-pubkey*
gpg-pubkey-e8562897-459f07a4
gpg-pubkey-e8562897-459f07a4
Note: Depending on distribution and version, you have to change mirror link.
OK, public key imported, now check signature of the createrepo rpm.
[root@localhost ~]# rpm -K createrepo-0.4.11-3.el5.noarch.rpm
createrepo-0.4.11-3.el5.noarch.rpm: (sha1) dsa sha1 md5 gpg OK
This means that the signature of the package has been verified, and that it is
not corrupted. If you want to know public key builder's name , execute the
command:
[root@~]# rpm -qa gpg-pubkey\* --qf "%{name}-%{version}-%{release}-%{summary}\n"
gpg-pubkey-e8562897-459f07a4-gpg(CentOS-5 Key (CentOS 5 Official Signing Key)
<centos-5-key@centos.org>)
gpg-pubkey-e8562897-459f07a4-gpg(CentOS-5 Key (CentOS 5 Official Signing Key)
<centos-5-key@centos.org>)
gpg-pubkey-2689b887-42315a9a-gpg(Hewlett-Packard Company (HP Codesigning Service
))
Note: For showing difference I imported HP GPG key.
If you're the curious type and you want to know more information about imported
GPG key, use the following command.
rpm -qi <gpg-pubkey>
[root@localhost data]# rpm -qi gpg-pubkey-e8562897-459f07a4
Name : gpg-pubkey Relocations: (not relocatable)
Version : e8562897 Vendor: (none)
Release : 459f07a4 Build Date: Fri 07 Oct 2011 05:53:03 PM IST
Install Date: Fri 07 Oct 2011 05:53:03 PM IST Build Host: localhost
Group : Public Keys Source RPM: (none)
Size : 0 License: pubkey
Signature : (none)
Summary : gpg(CentOS-5 Key (CentOS 5 Official Signing Key) <centos-5-key@
centos.orgi>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.4.2.3 (NSS-3)
mQGiBEWfB6MRBACrnYW6yKMT+MwJlCIhoyTxGf3mAxmnAiDEy6HcYN8rivssVTJk
CFtQBlBOpLV/OW2YtKrCO2xHn46eNfnMri8FGT8g+9JF3MUVi7kiV1He4iJynHXB
+F2ZqIvHf3IaUj1ys+p8TK64FDFxDQDrGQfIsD/+pkSGx53/877IrvdwjwCguQcr
Ioip5TH0Fj0OLUY4asYVZH8EAIqFHEqsY+9ziP+2R3/FyxSllKkjwcMLrBug+cYO
LYDD6eQXE9Mq8XKGFDj9ZB/0+JzK/XQeStheeFG75q3noq5oCPVFO4czuKErIRAB
qKbDBhaTj3JhOgM12XsUYn+rI6NeMV2ZogoQCC2tWmDETfRpYp2moo53NuFWHbAy
XjETA/sHEeQT9huHzdi/lebNBj0L8nBGfLN1nSRP1GtvagBvkR4RZ6DTQyl0UzOJ
RA3ywWlrL9IV9mrpb1Fmn60l2jTMMCc7J6LacmPK906N+FcN/Docj1M4s/4CNanQ
NhzcFhAFtQL56SNyLTCk1XzhssGZ/jwGnNbU/aaj4wOj0Uef5LRGQ2VudE9TLTUg
S2V5IChDZW50T1MgNSBPZmZpY2lhbCBTaWduaW5nIEtleSkgPGNlbnRvcy01LWtl
eUBjZW50b3Mub3JnPohkBBMRAgAkBQJFnwekAhsDBQkSzAMABgsJCAcDAgMVAgMD
FgIBAh4BAheAAAoJEKikR9zoViiXKlEAmwSoZDvZo+WChcg3s/SpNoWCKhMAAJwI
E2aXpZVrpsQnInUQWwkdrTiL5YhMBBMRAgAMBQJFnwiSBYMSzAIRAAoJEDjCFhY5
bKCk0hAAn134bIx3wSbq58E6P6U5RT7Z2Zx4AJ9VxnVkoGHkVIgSdsxHUgRjo27N
F7kBDQRFnwezEAQA/HnJ5yiozwgtf6jt+kii8iua+WnjqBKomPHOQ8moxbWdv5Ks
4e1DPhzRqxhshjmub4SuJ93sgMSAF2ayC9t51mSJV33KfzPF2gIahcMqfABe/2hJ
aMzcQZHrGJCEX6ek8l8SFKou7vICzyajRSIK8gxWKBuQknP/9LKsoczV+xsAAwUD
/idXPkk4vRRHsCwc6I23fdI0ur52bzEqHiAIswNfO521YgLk2W1xyCLc2aYjc8Ni
nrMX1tCnEx0/gK7ICyJoWH1Vc7//79sWFtX2EaTO+Q07xjFX4E66WxJlCo9lOjos
Vk5qc7R+xzLDoLGFtbzaTRQFzf6yr7QTu+BebWLoPwNTiE8EGBECAA8FAkWfB7MC
GwwFCRLMAwAACgkQqKRH3OhWKJfvvACfbsF1WK193zM7vSc4uq51XsceLwgAoI0/
9GxdNhGQEAweSlQfhPa3yYXH
=o/Mx
-----END PGP PUBLIC KEY BLOCK-----
You can view above PGP public key block directly by:
vi /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
Depending on distribution, change file path.
Friday, October 7, 2011
Posted by venu k
37 comments | 12:21 PM
Subscribe to:
Post Comments (Atom)
Hello,
ReplyDeleteThank you, good article but your page formatting is a mess.
thanks for sharing
ReplyDeletehttp://www.hitech-cloud.com/
Great explanation. Really appreciate it.
ReplyDeleteCatering Services in West Mambalam
Easy to observe all given information,it's very helpful in my studies.I hope this type of information.these information was more effective content.
ReplyDeletephp training in chennai
This post great guide me and also tell us how to run a program thanks for share it sop format for mba .
ReplyDeleteI am very grateful to you for posting this publication and I would want to post something, which might be interesting for you too. custom writing service Enjoy reading!
ReplyDeleteHuh!., Such Wonderfull
ReplyDeleteHappy New Year!
Huh!., Such Wonderfull
ReplyDeleteHappy New Year!
ReplyDeleteAPK OI: Download the latest free software, apps , games for Android.
apk
Inspiring writings and I greatly admired what you have to say , I hope you continue to provide new ideas for us all and greetings success always for you..Keep update more information..
ReplyDeletePython Training in Chennai
Thank your site! information your share is useful to me!
ReplyDelete- trump twitter
This is so fun! What a great idea. Also I love how authentic you seem to be. Your style and passion for blogging is contagious. Thank you for sharing your life!
ReplyDeleteBest Digital Marketing Agency
ReplyDeleteGreat Information, Thanks for sharing
Best Digital Marketing company Anantapur
ReplyDeletehelpful information, thanks for writing and share this information
Best Digital Marketing company hyderabad
ReplyDeletegreat thing for sharing
That's a good style, friend! Try yourself as a creative writer.You can definitely earn something!
ReplyDeleteGood post!
ReplyDeleteTraining in Chennai.
Final year java projects chennai
Big data hadoop training in chennai
may be useful for all, helpful article once and pardon me permission to share also here :
ReplyDeleteObat tulang keropos
Obat leher bengkak
Obat batuk menahun
Obat batuk menahun
Obat sakit tulang ekor
Cara mengatasi ruam popok
Cara menyembuhkan impetigo
Thank for your post. It's very helpful. By the way, follow my website to get tips about
ReplyDeleteI Love to Play Free Happy Wheels Games Online A@
ReplyDeletehappywheels.in||happy wheels game||happy wheels||fireboyandwatergirl.co
Very Interesting and wonderfull information keep sharing
ReplyDeletewifi hack pro apk
ReplyDeleteGreat post. I was checking constantly this blog and I'm impressed! Extremely helpful info particularly the last part :) I care for such information a lot. I was looking for this certain information for a long time. Thank you and best of luck. gmail.com login
ReplyDeleteNice Article..Good Content... Share the Post...Thank u...
Austere Technologies |Internet Of Things
That's a good style, friend! Try yourself as a creative writer.You can definitely earn something!
ReplyDeleteGreat pleasure that I can read this blog.
ReplyDeleteI really love the content
ReplyDeleteGreat article, really very helpful content you made. Thank you, keep sharing.
ReplyDeleteBest Mobility Services | Austere Technology Solutions
You wrote it very well, it is very nice to read this.
ReplyDeleteThis is really great informative blog. Keep sharing.
ReplyDeleteBest Software Security Services | Austere Technology Solutions
wow...nice blog, very helpful information. Thanks for sharing.
ReplyDeleteBest Cloud Services | Austere Technology Solutions
Good article and knowledge for me! I found a lot of information here! This article is really good for all newbie here. Thank you for sharing with us!
ReplyDeleteThis is exactly what I need to find. Thank you so much!!
ReplyDeletegmail account login
Good information.
ReplyDeleteBlockchain training in chennai
racing car games online free no download play online with friends and family
ReplyDeleteMenmyshopCar StereoDouble Din Android PlayerHyepersonic Double Din PlayerHyundai Creta Double Din Player Hyundai Xcent Double Din PlayerTata Nexon Double Din Player
ReplyDeleteCBSE open schoolcbse privatebanzaraonjourney
Excellent informative blog, keep for sharing.
ReplyDeleteBest System Integration services | Massil Technologies
Hey friends if you want best amazing adventures game then must try roblox robux its best
ReplyDelete