Bootstrap FreeKB - RPM - Verify GPG Digital Signature
RPM - Verify GPG Digital Signature
Updated:   |  RPM articles

The rpm command with the -K or --checksig flag can be used to determine if the digital signature of an RPM is OK. Notice in this example the SIGNATURES NOT OK is returned. This almost always means you have not installed the GPG key for the RPM onto your system. However, this may indeed sometimes mean that the signature is indeed not OK, which can happen if the RPM was tamperred with.

]# rpm --checksig https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm: digests SIGNATURES NOT OK

 

The -qa or --query -all flags can be used to display the GPG keys that you have installed. In this example, there is only one GPG key installed.

~]# rpm --query --all gpg-pubkey*
gpg-pubkey-45719a39-5f2c0192

 

The -qi or --query --info flags can be display to display the details of the installed GPG keys. Notice in this example that the GPG key is for Fedora packages.

]# rpm --query --info gpg-pubkey-45719a39-5f2c0192
Name        : gpg-pubkey
Version     : 45719a39
Release     : 5f2c0192
Architecture: (none)
Install Date: Mon 26 Jul 2021 02:39:26 AM CDT
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Thu 06 Aug 2020 08:11:46 AM CDT
Build Host  : localhost
Packager    : Fedora (34) <fedora-34-primary@fedoraproject.org>
Summary     : Fedora (34) <fedora-34-primary@fedoraproject.org> public key
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.16.1.3 (NSS-3)

mQINBF8sAZIBEADKYvLg/5FdLXcVryAFd7Q8qrJq23R7ebxUT1u48Dc8xrsfYJZq
aMcna/xw47wZNyek4Z6YpzqfmnjR7H8yRH/1hAPi/ixYnA6DVL7O3eGE5lYGJzN3
E2ILTzBOI9o/pavvtOqW9N5WIus8cqSdA921v8YPzr3/BTKgGqC9biOrMA+3s...
-----END PGP PUBLIC KEY BLOCK-----

 

You can use the rpm command with the --import option to import the GPG keys onto your system.

rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8

 

And you should now see the newly imported GPG key.

~]# rpm --query --all gpg-pubkey*
gpg-pubkey-45719a39-5f2c0192
gpg-pubkey-2f86d6a1-5cf7cefb

 

And displaying the info of the newly imported GPG key should show, in this example, that it is the GPG keys for Fedora EPEL.

]# rpm --query --info gpg-pubkey-2f86d6a1-5cf7cefb
Name        : gpg-pubkey
Version     : 2f86d6a1
Release     : 5cf7cefb
Architecture: (none)
Install Date: Sun 15 Aug 2021 06:14:58 AM CDT
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Wed 05 Jun 2019 09:17:31 AM CDT
Build Host  : localhost
Packager    : Fedora EPEL (8) <epel@fedoraproject.org>
Summary     : Fedora EPEL (8) <epel@fedoraproject.org> public key
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.16.1.3 (NSS-3)

mQINBFz3zvsBEADJOIIWllGudxnpvJnkxQz2CtoWI7godVnoclrdl83kVjqSQp+2
dgxuG5mUiADUfYHaRQzxKw8efuQnwxzU9kZ70ngCxtmbQWGmUmfSThiapOz00018
+eo5MFabd2vdiGo1y+51m2sRDpN8qdCaqXko65cyMuLXrojJHIuvRA/x7iqOr...
-----END PGP PUBLIC KEY BLOCK-----

 

Which almost always will resolve the issue. Notice now that signatures OK is returned.

]# rpm --checksig https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm: digests signatures OK

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 53aa68 in the box below so that we can be sure you are a human.