Product SiteDocumentation Site

11.4.6. Importing public keys

The --import option to the rpm command imports the public key from a given vendor. The format for this key follows:
The following public key can be used to verify RPM packages built and
signed by Red Hat, Inc. using `rpm -K' using the GNU GPG package.
Questions about this key should be sent to security@redhat.com.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDfqVEqRBADBKr3Bl6PO8BQ0H8sJoD6p9U7Yyl7pjtZqioviPwXP+DCWd4u8
HQzcxAZ57m8ssA1LK1Fx93coJhDzM130+p5BG9mYSPShLabR3N1KXdXAYYcowTOM
GxdwYRGr1Spw8QydLhjVfU1VSl4xt6bupPbFJbyjkg5Z3P7BlUOUJmrx3wCgobNV
EDGaWYJcch5z5B1of/41G8kEAKii6q7Gu/vhXXnLS6m15oNnPVybyngiw/23dKjS
ti/PYrrL2J11P2ed0x7zm8v3gLrY0cue1iSba+8glY+p31ZPOr5ogaJw7ZARgoS8
BwjyRymXQp+8Dete0TELKOL2/itDOPGHW07SsVWOR6cmX4VlRRcWB5KejaNvdrE5
4XFtOd04NMgWI63uqZc4zkRa+kwEZtmbz3tHSdWCCE+Y7YVP6IUf/w6YPQFQriWY
FiA6fD10eB+BlIUqIw80EqjsBKmCwvKkn4jg8kibUgj4/TzQSx77uYokw1EqQ2wk
OZoaEtcubsNMquuLCMWijYhGBBgRAgAGBQI36lRyAAoJECGRgM3bQqYOhyYAnj7h
VDY/FJAGqmtZpwVp9IlitW5tAJ4xQApr/jNFZCTksnI+4O1765F7tA==
=3AHZ
-----END PGP PUBLIC KEY BLOCK-----
Note
For reasons of space, this is not a complete key.
You need to pass the name of the text file that holds the key to the rpm --import command, as shown following:
rpm --import key_file
Note
You must be logged in as the root user to import keys.
For example:
# rpm --checksig xtoolwait-1.3-3.src.rpm
xtoolwait-1.3-3.src.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#db42a60e)
# rpm --import RPM-GPG-KEY
# rpm --checksig xtoolwait-1.3-3.src.rpm
xtoolwait-1.3-3.src.rpm: (sha1) dsa sha1 md5 gpg OK
This example shows an error message when trying to verify the key. Then, after importing the Red Hat public key, the verification works.
If, after importing this key, you still have problems, you can assume there are problems with the package. Many administrators will refuse to install such packages.
Warning
You should be careful with packages that have signatures that do not verify.
To list the available keys, use a command like the following:
$ rpm -qa | grep -i gpg
gpg-pubkey-db42a60e-37ea5438
This example shows one key installed.
Note
You can erase this key as if it were a package, using the rpm -e command.