Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 2. Verifying RPM packages with post-quantum signatures
To safeguard RHEL system integrity against future quantum computing attacks, install and verify RPM packages with post-quantum signatures. By utilizing these quantum-resistant algorithms, you ensure long-term software authenticity and prevent future forgery.
2.1. Enabling post-quantum RPM signatures verification
To fortify the RHEL operating system against future quantum computing threats, enable the verification of RPM packages by using quantum-resistant algorithms. This configuration ensures the system can authenticate the integrity and origin of software signed with post-quantum cryptography.
In earlier Red Hat Enterprise Linux (RHEL) releases, the RPM utility verified only RPMv4 signatures. In RHEL 9.7 and later RHEL 9 versions, you can enable support for RPMv6 signatures by installing the multisig DNF plugin. The system then uses this plugin to verify post-quantum signatures transparently during the installation process. For verification to succeed, you must ensure the system trusts all required OpenPGP certificates.
One package can include multiple RPMv6 signatures, but only one RPMv4 signature. For example, RHEL RPM packages include the following signatures:
- RSA and hybrid ML-DSA-87-Ed448 RPMv6 signatures
- RSA RPMv4 signature
The redhat-release package also already includes all OpenPGP certificates required for verification of RHEL RPM signatures:
$ rpm -ql redhat-release...
/etc/pki/rpm-gpg/RPM-GPG-KEY-PQC-redhat-release
/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta
/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
...Note that starting with RHEL 10.1, RPM provides native support for RPMv6 signatures. If a package contains an RPMv6 signature, the system verifies it automatically and ignores any legacy RPMv4 signatures. No additional configuration or plugins are required for this process.
Always import or reference all OpenPGP certificates, including both classical keys, such as RSA, and post-quantum keys, such as ML-DSA. This hybrid verification enhances security: if one cryptographic algorithm or key is compromised, the system remains protected by the other.
If you distribute your own RPM packages with post-quantum signatures, establish trust for all OpenPGP certificates required to verify the signatures. Also, keep the post-quantum certificates and classical certificates in separate files.
Prerequisites
- RHEL 9.7 or later is installed and fully updated.
Procedure
Install the
dnf-plugin-multisigpackage. This package also installs thepqrpmpackage, which is separate from default system RPM tools and uses its own database of trusted OpenPGP certificates.# dnf install dnf-plugin-multisigTo establish trust for Red Hat OpenPGP certificates, complete one of the following steps:
Add the certificates into the DNF repository configuration file. Use the
gpgkeydirective in the/etc/yum.repos.d/<repo_name>.repofile and list both certificate files:gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PQC-redhat-releaseIndentation of the
gpgkeyvalues matters.Note that if you use this option, the system displays an additional interactive prompt during the package installation from the CLI unless you use the
dnfcommand with the--assumeyesor-yoption.Import both certificates into the
pqrpmdatabase:# /usr/lib/pqrpm/bin/rpmkeys --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/RPM-GPG-KEY-PQC-redhat-releaseUse this alternative when the first option is not available, for example, when the DNF repository configuration file is managed externally and you cannot easily edit it.
Verification
Install or update an RPM package, for example:
# dnf install gnupg2Check that the DNF plugin successfully verified all signatures during your last package installation or update:
# grep "Multisig:" /var/log/dnf.log2026-03-11T13:44:51+0100 DEBUG Multisig: verifying: /var/cache/dnf/rhel-9.8.0-baseos-f47b1846dcc4d7f2/packages/gnupg2-2.3.3-5.el9_7.x86_64.rpm 2026-03-11T13:44:52+0100 DEBUG Multisig: verification result: All signatures for gnupg2-2.3.3-5.el9_7.x86_64.rpm successfully verified (code=0)If you need to check the list of specific signatures that were verified, see Next steps.
Verify that the OpenPGP certificates are imported into the
pqrpmdatabase:$ /usr/lib/pqrpm/bin/rpmkeys -lfd431d51-4ae0493b: Red Hat, Inc. (release key 2) <security@redhat.com> public key 5a6340b3-6229229e: Red Hat, Inc. (auxiliary key 3) <security@redhat.com> public key 05707a62-68e6a1f3: Red Hat, Inc. (release key 4) <security@redhat.com> public keyNote that if you added the certificates into the DNF repository configuration file, they are imported only after a successful package installation.
2.2. Verifying RHEL RPM packages with post-quantum signatures
To protect RHEL against future quantum attacks that can break standard keys, verify RPM packages signed with post-quantum cryptography. This ensures the integrity and authenticity of software updates throughout the system’s lifecycle.
Prerequisites
- You enabled RPM signatures verification, and all RHEL OpenPGP certificates are trusted by your system. For more information, see Enabling post-quantum RPM signatures verification.
Procedure
Download the RPM package that you want to verify into the current directory:
$ dnf download <package_name>Verify the signatures of the RPM file and list results of all the checks:
$ /usr/lib/pqrpm/bin/rpmkeys -Kv <package_file_name.rpm>Header V6 ML-DSA-87+Ed448/SHA512 Signature, key ID 05707a62: OK Header V4 RSA/SHA256 Signature, key ID fd431d51: OK Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK MD5 digest: OK
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}