Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
21222324252627282930
Chapter 1. Security Overview
16
1.5.2. Verifying Signed Packages
All Red Hat Enterprise Linux packages are signed with the Red Hat GPG key. GPG stands for GNU
Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed
files. For example, a private key (secret key) locks the package while the public key unlocks and
verifies the package. If the public key distributed by Red Hat Enterprise Linux does not match the
private key during RPM verification, the package may have been altered and therefore cannot be
trusted.
The RPM utility within Red Hat Enterprise Linux 6 automatically tries to verify the GPG signature of an
RPM package before installing it. If the Red Hat GPG key is not installed, install it from a secure, static
location, such as a Red Hat installation CD-ROM or DVD.
Assuming the disc is mounted in /mnt/cdrom, use the following command to import it into the keyring
(a database of trusted keys on the system):
rpm --import /mnt/cdrom/RPM-GPG-KEY
To display a list of all keys installed for RPM verification, execute the following command:
rpm -qa gpg-pubkey*
The output will look similar to the following:
gpg-pubkey-db42a60e-37ea5438
To display details about a specific key, use the rpm -qi command followed by the output from the
previous command, as in this example:
rpm -qi gpg-pubkey-db42a60e-37ea5438
It is extremely important to verify the signature of the RPM files before installing them to ensure that
they have not been altered from the original source of the packages. To verify all the downloaded
packages at once, issue the following command:
rpm -K /tmp/updates/*.rpm
For each package, if the GPG key verifies successfully, the command returns gpg OK. If it doesn't,
make sure you are using the correct Red Hat public key, as well as verifying the source of the content.
Packages that do not pass GPG verifications should not be installed, as they may have been altered
by a third party.
After verifying the GPG key and downloading all the packages associated with the errata report, install
the packages as root at a shell prompt.
1.5.3. Installing Signed Packages
Installation for most packages can be done safely (except kernel packages) by issuing the following
command:
rpm -Uvh /tmp/updates/*.rpm
For kernel packages use the following command: