33

The cryptographic signature of an RPM can be verified with the rpm -K command. This returns a string containing gpg (or pgp) and ending in OK if the signature is in RPM's database and is valid.

If the package is not signed but the checksums are valid, you'll still get OK, but no gpg.

If the package is signed but the key is missing from the RPM database, you get (GPG) (capital letters) and NOT OKAY, followed by (MISSING KEYS: GPG#deadbeef).

That's handy if I want to figure out what key I should find to install to make my package installation work.

But what if I want to verify which of several keys in my RPM keyring was used to sign a given package?

mattdm
  • 39,535
  • 18
  • 99
  • 133

4 Answers4

38

There is a Signature field listed via rpm -qpi package.rpm, e.g.,:

[vagrant@vm-one ~]$ rpm -qpi puppet-3.7.4-1.el6.noarch.rpm
Name        : puppet
Version     : 3.7.4
Release     : 1.el6
Architecture: noarch
Install Date: (not installed)
Group       : System Environment/Base
Size        : 6532300
License     : ASL 2.0
Signature   : RSA/SHA512, Tue 27 Jan 2015 11:17:18 PM UTC, Key ID 1054b7a24bd6ec30
Source RPM  : puppet-3.7.4-1.el6.src.rpm
Build Date  : Mon 26 Jan 2015 11:48:15 PM UTC
Build Host  : tahoe.delivery.puppetlabs.net
Relocations : (not relocatable)
Vendor      : Puppet Labs
URL         : http://puppetlabs.com
Summary     : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.
030
  • 1,527
  • 2
  • 17
  • 33
brightlancer
  • 489
  • 1
  • 3
  • 2
17
rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n'
Philip Durbin
  • 899
  • 2
  • 8
  • 13
  • 1
    Only works if you have already installed the package, Brightlancer's solution below allows you to check a signature before installing – Thomas BDX Mar 25 '15 at 15:47
  • 4
    This works just fine even for an uninstalled package if you replace `-a` with `-p packagename.rpm`. – larsks Aug 11 '15 at 15:32
9

To find out which GPG key in your RPM DB signed a specfic rpm, do this:

List all the GPG keys in your RPM DB:

$ rpm -qa gpg-pubkey*
...
...
gpg-pubkey-b1275ea3-546d1808
...
...

First ensure the rpm in question is signed with a key in your RPM DB:

$ rpm -K hp/mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4.x86_64.rpm
hp/mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

You're looking for the OK at the end, and not 'NOT OK (MISSING KEYS', which will mean it has been signed, but by a key not in your RPM DB.

Right, so the rpm we're checking has been signed by a key in our RPM DB.

And then get the Key ID the rpm was signed with:

$ rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p hp/mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4.x86_64.rpm
mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4 RSA/SHA1, Tue Apr 14 12:34:51 2015, Key ID fadd8d64b1275ea3 (none)

Now you can see whether the last 8 characters of the Key ID (i.e. b1275ea3 from fadd8d64b1275ea3) corresponds to any of the 8 characters following gpg-pubkey- from the first command. And in this case, it does!

And then you have the key in question, so do:

$ rpm -qi gpg-pubkey-b1275ea3-546d1808

to see, in this example, that it was HP's key that signed this rpm.

Hope this helps. Took me a while to figure out. :-)

Seekoei
  • 91
  • 1
  • 1
5

Issue less <rpm file> and check the Signature entry, e.g.,:

[vagrant@vm-one ~]$ less artifactory-3.5.3.rpm
Name        : artifactory
Version     : 3.5.3
Release     : 30172
Architecture: noarch
Install Date: (not installed)
Group       : Development/Tools
Size        : 42286184
License     : LGPL
Signature   : (none)
Source RPM  : artifactory-3.5.3-30172.src.rpm
Build Date  : Thu 19 Mar 2015 04:47:04 PM UTC
Build Host  : artbuild2.jfrog.local
Relocations : (not relocatable)
Vendor      : JFrog Ltd.
URL         : http://www.jfrog.org
Summary     : Binary Repository Manager
Description :
The best binary repository manager around.
-rwxrwxr-x    1 root    root                     7891 Mar 19 16:47 /etc/init.d/artifactory
drwxr-xr-x    2 artifactartifact                    0 Mar 19 16:47 /etc/opt/jfrog/artifactory
-rwxrwx---    1 artifactartifact                 9855 Mar 19 16:47 /etc/opt/jfrog/artifactory/artifactory.config.xml
-rwxrwx---    1 artifactartifact                11172 Mar 19 16:47 /etc/opt/jfrog/artifactory/artifactory.system.properties
-rwxrwx---    1 artifactartifact                  457 Mar 19 16:47 /etc/opt/jfrog/artifactory/default
-rwxrwx---    1 artifactartifact                 6858 Mar 19 16:47 /etc/opt/jfrog/artifactory/logback.xml
-rwxrwx---    1 artifactartifact                 5470 Mar 19 16:47 /etc/opt/jfrog/artifactory/mimetypes.xml
drwxrwxr-x    2 root    root                        0 Mar 19 16:47 /opt/jfrog
drwxrwxr-x    2 root    root                        0 Mar 19 16:47 /opt/jfrog/artifactory/bin
-rwxrwxr-x    1 root    root                   103424 Mar 19 16:47 /opt/jfrog/artifactory/bin/artifactory-service.exe
-rwxrwxr-x    1 root    root                     1366 Mar 19 16:47 /opt/jfrog/artifactory/bin/artifactory.bat
-rwxrwxr-x    1 root    root                      457 Mar 19 16:47 /opt/jfrog/artifactory/bin/artifactory.default
artifactory-3.5.3.rpm
030
  • 1,527
  • 2
  • 17
  • 33
Sirex
  • 7,646
  • 1
  • 17
  • 18