In fact, you cannot just verify the file with gpg commands because the signature is not of the entire. Since the rpm utility has its own key management, there is no need to import the GPG public keys to your personal GPG keyring. The rpm utility has its own key management For some projects, the key may also be available directly from a source web site. The public key is included in an RPM package, which also configures the yum repo. YUM and DNF use repository configuration files to provide pointers to the GPG public key locations and assist in importing the keys so that RPM can verify the packages.įor this article, I will use keys and packages from EPEL.
The rpm utility uses GPG keys to sign packages and its own collection of imported public keys to verify the packages. The RPM format has an area specifically reserved to hold a signature of the header and payload. While GPG can sign any file, manually checking package signatures is not scalable for system administrators. To detect and avoid malicious replacement packages, package owners can sign the package files, and consumers can verify those signatures.
For many open-source projects, that includes hosting by volunteers. The projects and companies providing the packages utilize content distribution networks (CDNs) and mirror sites to make their packages available to consumers. Large and popular RPM repositories are typically replicated around the world. How well do you know Linux? Take a quiz and get a badge.Linux system administration skills assessment.A guide to installing applications on Linux.Download RHEL 9 at no charge through the Red Hat Developer program.
0 kommentar(er)
