how to verify digital signature in RPM package

March 22, 2007 at around evening time · Filed under GnuPG, PKI, RPM, digital signature, information security

A packager could opt to sign a RPM package. If a RPM is signed, the RPM package would contain a digital signature ready to be used to verify the integrity and authenticity of the RPM package. To be effective, the signing should be done by a different user on a separate server and both the signing user account and the signing server are secure. Once such a RPM package is downloaded, you can verify its digital signature using the rpm command itself. The key itself may need to be verified with GnuPG or PGP command.
Below, I’ll walk through steps to verify digital signature of a RPM package available locally on this site. If you have the signing key and trust it, it is rather simple. For example, the signing GnuPG key for Fedora Core distribution is at /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora on a FC6 system.

  • import the key to the RPM database

rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora

  • verify the RPM package under question. Take tripwire package for CentOS4 locally available on this site,

# rpm –checksig tripwire-2.4.0.1-2-RHEL4.4.i386.rpm
tripwire-2.4.0.1-2-RHEL4.4.i386.rpm: (sha1) dsa sha1 md5 gpg OK
# rpm –checksig –verbose tripwire-2.4.0.1-2-RHEL4.4.i386.rpm
tripwire-2.4.0.1-2-RHEL4.4.i386.rpm:
Header V3 DSA signature: OK, key ID 35b26d2c
Header SHA1 digest: OK (c20d21696bd2d24676f97640cc74659ebaa2d502)
MD5 digest: OK (8b66979abbb1836c7140a73b675c64dc)
V3 DSA signature: OK, key ID 35b26d2c

When the key is not in the RPM database, the verification of the digital signature will fail, stating the key is missing.

# rpm –checksig tripwire-2.4.0.1-2-RHEL4.4.i386.rpm
tripwire-2.4.0.1-2-RHEL4.4.i386.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#35b26d2c)

# rpm –checksig –verbose tripwire-2.4.0.1-2-RHEL4.4.i386.rpm
tripwire-2.4.0.1-2-RHEL4.4.i386.rpm:
Header V3 DSA signature: NOKEY, key ID 35b26d2c
Header SHA1 digest: OK (c20d21696bd2d24676f97640cc74659ebaa2d502)
MD5 digest: OK (8b66979abbb1836c7140a73b675c64dc)
V3 DSA signature: NOKEY, key ID 35b26d2c

Normally, the author would publish the public key along with its fingerprint on his or her site, and also export it to public key server. To obtain the key and trust it, you will at least do the following:

  • retrieve and import the key to your GnuPG keyring
    • GnuPG has built-in key retrieval function, ‘–recv-key’. It will retrieve and import in one shot.

      • $ gpg –recv-key 35b26d2c
      gpg: requesting key 35B26D2C from hkp server subkeys.pgp.net
      gpg: key 35B26D2C: public key “CIO Jerry (http://www.supportsmb.com) <experts8@gmail.com>” imported
      gpg: Total number processed: 1
      gpg: imported: 1

    • Or, go to pgp.mit.edu or subkeys.pgp.net to search for the key id (0x35b26d2c). It will give you a link to retrieve armored text for the public key. Once you save the text to a local file, you will need to import manually, ‘gpg –import someones.pub.asc’
  • verify the fingerprint of the imported key by comparing it with the one listed on the key server or author’s website.

$ gpg –fingerprint 35b26d2c
pub 1024D/35B26D2C 2007-03-08
 Key fingerprint = BDBE 9969 F76A AFDC D1B7 1E15 281D DA12 35B2 6D2C
uid CIO Jerry (http://www.supportsmb.com) <experts8@gmail.com>
sub 2048g/C90D7386 2007-03-08

  • Optionally, sign the key to trust it, if you has verified it thoroughly
  • export the key  to import it into RPM database, in case you got the key without having it saved in a file first.

gpg –export -a 35b26d2c > drychilliGroup.pub.asc

Leave a Comment

Powered by WP Hashcash