搜索

此内容没有您所选择的语言版本。

1.5.2. Verifying Signed Packages

download PDF
All Red Hat Enterprise Linux packages are signed with the Red Hat GPG key. GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by Red Hat Enterprise Linux does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.
The RPM utility within Red Hat Enterprise Linux 6 automatically tries to verify the GPG signature of an RPM package before installing it. If the Red Hat GPG key is not installed, install it from a secure, static location, such as a Red Hat installation CD-ROM or DVD.
Assuming the disc is mounted in /mnt/cdrom, use the following command as the root user to import it into the keyring (a database of trusted keys on the system):
~]# rpm --import /mnt/cdrom/RPM-GPG-KEY
Now, the Red Hat GPG key is located in the /etc/pki/rpm-gpg/ directory.
To display a list of all keys installed for RPM verification, execute the following command:
~]# rpm -qa gpg-pubkey*
gpg-pubkey-db42a60e-37ea5438
To display details about a specific key, use the rpm -qi command followed by the output from the previous command, as in this example:
~]# rpm -qi gpg-pubkey-db42a60e-37ea5438
Name        : gpg-pubkey                   Relocations: (not relocatable)
Version     : 2fa658e0                          Vendor: (none)
Release     : 45700c69                      Build Date: Fri 07 Oct 2011 02:04:51 PM CEST
Install Date: Fri 07 Oct 2011 02:04:51 PM CEST      Build Host: localhost
Group       : Public Keys                   Source RPM: (none)
[output truncated]
It is extremely important to verify the signature of the RPM files before installing them to ensure that they have not been altered from the original source of the packages. To verify all the downloaded packages at once, issue the following command:
~]# rpm -K /root/updates/*.rpm
alsa-lib-1.0.22-3.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
alsa-utils-1.0.21-3.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
aspell-0.60.6-12.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
For each package, if the GPG key verifies successfully, the command returns gpg OK. If it does not, make sure you are using the correct Red Hat public key, as well as verifying the source of the content. Packages that do not pass GPG verification should not be installed, as they may have been altered by a third party.
After verifying the GPG key and downloading all the packages associated with the errata report, install the packages as root at a shell prompt.
Alternatively, you may use the Yum utility to verify signed packages. Yum provides secure package management by enabling GPG signature verification on GPG-signed packages to be turned on for all package repositories (that is, package sources), or for individual repositories. When signature verification is enabled, Yum will refuse to install any packages not GPG-signed with the correct key for that repository. This means that you can trust that the RPM packages you download and install on your system are from a trusted source, such as Red Hat, and were not modified during transfer.
In order to have automatic GPG signature verification enabled when installing or updating packages via Yum, ensure you have the following option defined under the [main] section of your /etc/yum.conf file:
gpgcheck=1
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.