Host Security  «Prev  Next»

Verifying Package Integrity using the rpm command


Practice verifying package integrity using the rpm command.The following screen illustrates the results.
Using the rpm command
rpm --verify glibc-2.1.3-15

Verifying rpm package integrity

When you add repositories to your yum facility, in the cases of, ATRPMs, and others that offer a release RPM (such as livna-release), yum is automatically configured to use a valid GPG/DSA key and point to a valid online repository. When you ask to install a package from one of those repositories using yum, the GPG/DSA key is used to validate each package before it is installed. On the other hand, if you are simply installing a local RPM package, you need to do some manual work to verify its contents. To check all digests and signatures included in an RPM (to make sure it is original and not corrupted), you can use the --checksig option to RPM. For example, say I have a copy of the dvgrab RPM (which is part of Fedora) in my local directory and I wanted to check it. I could run the following command:

# rpm --checksig dvgrab-3.4-2.fc11.rpm
dvgrab-3.4-2.fc11.i386.rpm: (sha1) dsa sha1 md5 gpg OK

The preceding output shows that the GPG/DSA key was found and used to check that the package's digital signatures (dsa, sha1, and md5) were correct. If, however, you got a package for which you didn't have the GPG/DSA key installed, you would need to get and import that key before you could verify the package. If you trust the Internet site where you are getting the RPM you want to install, look for an indication that the site has signed its packages. Then download the GPG public key and import it. That will allow you to check the validity of the packages from that site. For example, I decided I wanted to use the KDE-redhat ( project to replace all my KDE packages from Fedora. I downloaded the digikam package and tried to verify it as follows:

# rpm --checksig digikam-doc-0.10.0-1.fc11.rpm
digikam-doc-0.10.0-1.fc11.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING
KEYS: GPG#ff6382fa)

Because the GPG public key was not installed, the contents couldn't be verified as correct. So, I went to the KDE-redhat project site and downloaded the GPG public key to the current directory. Then I imported the key as follows:
# rpm --import gpg-pubkey-ff6382fa-3e1ab2ca

With the GPG public key imported, the second check of the RPM showed that it was clean:
# rpm --checksig digikam-doc-0.9.4-3.fc11. rpm
digikam-doc-0.9.4-3.fc11.rpm: (sha1) dsa sha1 md5 gpg OK

Most of the GPG public keys you need for the basic repositories used with Fedora are included in the fedora-release package. GPG public keys from other repositories should be stored with those keys in the
/etc/pki/rpm-gpg directory.

Remember, however, that it is best to get packages automatically from known repositories with yum (or related tools). Besides checking the signatures of packages, yum will also make sure all dependencies are cleared up.