Product SiteDocumentation Site

11.4.5. Verifying signatures

You can verify the RPM signature to ensure that the package has not been modified since it has been signed. Verification also checks that the package is signed by the key that matches the claimed vendor.
To verify the signature in an RPM, use the -K option to the rpm command. The basic syntax is:
rpm -K package.rpm
Note
This is the rpm command, not the rpmbuild command.
This command accepts the options shown in Table 12-3 to turn off checking for certain types of signatures.
Table 12-3 Options to turn off signature checking
Option
Usage
--nogpg
Don’t check for GPG signatures
--nomd5
Don’t check for MD5 signatures
--nopgp
Don’t check for PGP signatures
You can also use the --checksig option, which is the same as -K. When you run this command on a package that has a verifiable key, you will see output like the following:
# rpm -K xtoolwait-1.3-3.src.rpm
xtoolwait-1.3-3.src.rpm: (sha1) dsa sha1 md5 gpg OK
This verifies that the package has not been changed from when it was first signed. It also verifies that the signature matches the public key from the vendor of the package. This goes a long ways toward verifying that the package is indeed legitimate.
To get more information, add a -v (verbose) option. For example:
$ rpm -Kv vixie-cron-3.0.1-69.src.rpm
vixie-cron-3.0.1-69.src.rpm:
Header V3 DSA signature: OK, key ID db42a60e
Header SHA1 digest: OK (ecbb244ab022ecd23114bb1d6c9bdeb74f8d9520)
MD5 digest: OK (fb0a75eca1d526d391c36dc956c23bdd)
V3 DSA signature: OK, key ID db42a60e
If you run this command on a package that does not verify, you’ll see an error like the following:
# rpm --checksig xtoolwait-1.3-3.src.rpm
xtoolwait-1.3-3.src.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#db42a60e)
Items that fail are listed in uppercase, such as DSA, while items that succeed appear in lowercase. In this example, the sha1 and md5 tests succeeded, while the DSA test failed. This failure does not necessarily mean that the package is not legitimate. This failure can mean one of three things:
1.The package was not properly signed in the first place. That is, it is a legitimate package but the package author did not properly sign the RPM.
2.The package has been modified in some way. That is, the package is not legitimate.
3.The RPM system has not been initialized with the public key from the package vendor.
From this error, you don’t yet know whether the package is legitimate or not. The first step, though, is to check that you have imported the proper public key from the package vendor.