The RPM utility within Fedora automatically tries to verify the GPG signature of an RPM package before installing it. If the Fedora GPG key is not installed, install it from a secure, static location, such as an Fedora installation CD-ROM or DVD.
Assuming the fedora installation disc is mounted in /mnt/cdrom, use the following command to import it into the keyring (a database of trusted keys on the system):
rpm --import /mnt/cdrom/RPM-GPG-KEYTo display a list of all keys installed for RPM verification, execute the following command:
rpm -qa gpg-pubkey*The output will look similar to the following:
gpg-pubkey-db42a60e-37ea5438To display details about a specific key, use the rpm -qi command followed by the output from the previous command, as in this example:
rpm -qi gpg-pubkey-db42a60e-37ea5438It is extremely important to verify the signature of the RPM files before installing them to ensure that they have not been altered from the original source of the packages. To verify all the downloaded packages at once, issue the following command:
rpm -K /tmp/updates/*.rpmFor each package, if the GPG key verifies successfully, the command returns gpg OK. If it doesn't, make sure you are using the correct Fedora public key, as well as verifying the source of the content. Packages that do not pass GPG verifications should not be installed, as they may have been altered by a third party.
After verifying the GPG key and downloading all the packages associated with the errata report, install the packages as root at a shell prompt.
0 comments:
Post a Comment