Product SiteDocumentation Site

A.3.2. Checking Package Signatures

RPM packages can be signed using GNU Privacy Guard (or GPG), which helps you make certain that downloaded packages are trustworthy. GPG is a tool for secure communication. With GPG, you can authenticate the validity of documents and encrypt or decrypt data.
To verify that a package has not been corrupted or tampered with, check its GPG signature by using the rpmkeys command with the -K (or --checksig) option:
rpmkeys -K package.rpm
Note that the DNF package manager performs automatic checking of GPG signatures during installations and upgrades.
GPG is installed by default, as well as a set of Red Hat keys for verifying packages. To import additional keys for use with RPM, see Section A.3.2.1, “Importing GPG Keys”.

A.3.2.1. Importing GPG Keys

To verify Red Hat packages, a Red Hat GPG key needs to be installed. A set of basic keys is installed by default. To view a list of installed keys, execute the following command at a shell prompt:
~]$ rpm -qa gpg-pubkey*
To display details about a specific key, use rpm -qi followed by the output from the previous command. For example:
~]$ rpm -qi gpg-pubkey-fd431d51-4ae0493b
Use the rpmkeys command with the --import option to install a new key for use with RPM. The default location for storing RPM GPG keys is the /etc/pki/rpm-gpg/ directory. To import new keys, use a command like the following as root:
~]# rpmkeys --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
See the Product Signing (GPG) Keys article on the Red Hat Customer Portal for additional information about Red Hat package-signing practices.