Installation guide

ManualsBrandsRed Hat ManualsSoftwareNETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION GUIDE

221

222

223

224

225

226

227

228

229

230

Chapter 25. Package Management with RPM 223

• To verify an installed package against an RPM package ﬁle:

rpm -Vp foo-1.0-1.i386.rpm

This command can be useful if you suspect that your RPM databases are corrupt.

If everything veriﬁed properly, there will be no output. If there are any discrepancies they

will be displayed. The format of the output is a string of eight characters (a c denotes a

conﬁguration ﬁle) and then the ﬁle name. Each of the eight characters denotes the result of

a comparison of one attribute of the ﬁle to the value of that attribute recorded in the RPM

database. A single . (a period) means the test passed. The following characters denote failure

of certain tests:

• 5 — MD5 checksum

• S — ﬁle size

• L — symbolic link

• T — ﬁle modiﬁcation time

• D — device

• U — user

• G — group

• M — mode (includes permissions and ﬁle type)

• ? — unreadable ﬁle

If you see any output, use your best judgment to determine if you should remove or reinstall

the package, or ﬁx the problem in another way.

25.3. Checking a Package’s Signature

If you wish to verify that a package has not been corrupted or tampered with, examine only

the md5sum by typing the following command at a shell prompt (replace coolapp with the

ﬁlename of your RPM package):

rpm --checksig --nogpg coolapp-1.1-1.rpm

You will see the message coolapp-1.1-1.rpm: md5 OK. This brief message means that the

ﬁle was not corrupted by the download.

On the other hand, how trustworthy is the developer who created the package? If the pack-

age is signed with the developer’s GnuPG key, you will know that the developer really is

who they say they are.

An RPM package can be signed using Gnu Privacy Guard (or GnuPG), to help you make

certain your downloaded package is trustworthy.

GnuPG is a tool for secure communication; it is a complete and free replacement for the

encryption technology of PGP, an electronic privacy program. With GnuPG, you can au-

thenticate the validity of documents, and encrypt/decrypt data to and from other recipients.

GnuPG is capable of decrypting and verifying PGP 5.x ﬁles, as well.

During the installation of Red Hat Linux, GnuPG is installed by default. That way you can

immediately start using GnuPG to verify any packages that you receive from Red Hat. First,

you will need to import Red Hat’s public key.