Note: All the commands tested on CentOs 5.x.Justify Full Your output may be vary depending on distribution and version, so your results may not always look exactly like the listings and figures shown here. Almost all everything works well on RHEL/CentOs/Fedora.

Why to check signature of an rpm:
The signature confirms that the package was signed by an authorized party and also confirm the integrity and origin of your file. It is extremely important to verify the signature of the RPM files before installing them to ensure that they have not been altered from the original source of the packages.

Checking a package's Signature:
The --checksig(or -K) option checks all the digests and signatures contained in PACKAGE_FILE to ensure the integrity and origin of the package. Note that signatures are now verified whenever a package is read, and --checksig is useful to verify all of the digests and signatures associated with a package.

If you wish to verify that a package has not been corrupted or tampered with, examine only the md5sum by typing the following command at a shell prompt (where is the file name of the RPM package):

rpm -K --nosignature

The message : md5 OK is displayed. This brief message means that the file was not corrupted by the download. To see a more verbose message, replace -K with -Kvv in the command.

For demonstration purpose I downloaded createrepo package from CentOs mirror and used in examples.

[root@localhost ~]# rpm -K --nosignature createrepo-0.4.11-3.el5.noarch.rpm createrepo-0.4.11-3.el5.noarch.rpm: sha1 md5 OK

On the other hand, how trustworthy is the developer who created the package? If the package is signed with the developer's GnuPG key,you know that the developer really is who they say they are.

An RPM package can be signed using Gnu Privacy Guard (or GnuPG), to help you make certain your downloaded package is trustworthy. GnuPG is a tool for secure communication; it is a complete and free replacement for the encryption technology of PGP, an electronic privacy program. With GnuPG, you can authenticate the validity of documents and encrypt/decrypt data to and from other recipients. GnuPG is capable of decrypting and verifying PGP 5.x files as well.

During installation,GnuPG is installed by default. That way you can immediately start using GnuPG to verify any packages that you receive from CentOs(RHEL/Fedor a). Before doing so, you must first import CentOs's public key. If you not imported correct public key, you will get following error message.

[root@localhost ~]# rpm -K createrepo-0.4.11-3.el5.noarch.rpm
createrepo-0.4.11-3.el5.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#e8562897)

Here the GPG in parentheses indicates that there's a problem with the signature, and the message at the end of the line (MISSING KEYS) shows what the problem is. Basically, RPM asked GPG to verify the package against a key(GPG#e8562897) that GPG didn't have, and GPG complained. It means you missed the correct public key.

How to import public keys:
Digital signatures cannot be verified without a public key. An ascii armored public key can be added to the rpm database using --import. An imported public key is carried in a header, and key ring management is performed exactly like package management. For example, all currently imported public keys can be displayed by:

rpm -qa gpg-pubkey*

To verify CentOs (RHEL/Fedora) packages, you must import the CentOs(RHEL/Fedora) GPG key. To do so, execute the following command at a shell prompt:

[root@localhost ~]# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
This will create duplicate copies if one already exists.

To display a list of all keys installed for RPM verification,execute the command
[root@localhost ~]# rpm -qa gpg-pubkey*


RPM has the capacity to retrieve the key from a Mirror:
[root@ ~]# rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
[root@ ~]# rpm -qa gpg-pubkey*
Note: Depending on distribution and version, you have to change mirror link.

OK, public key imported, now check signature of the createrepo rpm.

[root@localhost ~]# rpm -K createrepo-0.4.11-3.el5.noarch.rpm
createrepo-0.4.11-3.el5.noarch.rpm: (sha1) dsa sha1 md5 gpg OK
This means that the signature of the package has been verified, and that it is not corrupted. If you want to know public key builder's name , execute the command:

[root@~]# rpm -qa gpg-pubkey\* --qf "%{name}-%{version}-%{release}-%{summary}\n"
gpg-pubkey-e8562897-459f07a4-gpg(CentOS-5 Key (CentOS 5 Official Signing Key))
gpg-pubkey-e8562897-459f07a4-gpg(CentOS-5 Key (CentOS 5 Official Signing Key))
gpg-pubkey-2689b887-42315a9a-gpg(Hewlett-Packard Company (HP Codesigning Service ))

Note: For showing difference I imported HP GPG key.
If you're the curious type and you want to know more information about imported
GPG key, use the following command.

rpm -qi

[root@localhost data]# rpm -qi gpg-pubkey-e8562897-459f07a4
Name : gpg-pubkey Relocations: (not relocatable)
Version : e8562897 Vendor: (none)
Release : 459f07a4 Build Date: Fri 07 Oct 2011 05:53:03 PM IST
Install Date: Fri 07 Oct 2011 05:53:03 PM IST Build Host: localhost
Group : Public Keys Source RPM: (none)
Size : 0 License: pubkey
Signature : (none)
Summary : gpg(CentOS-5 Key (CentOS 5 Official Signing Key) )
Description :
Version: rpm- (NSS-3)

You can view above PGP public key block directly by:

vi /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

Depending on distribution, change file path.


Post a Comment