Package Security Check

If you download a software package, you may want to check its integrity and authentication, making sure the package was not tampered with and that it was obtained from a valid source. Yum is configured to automatically perform this check on all software downloaded from your Fedora-compliant repositories. Each repository configuration file in the /etd/ yum.repos.d directory will have its gpgcheck option set to 1. Should you want to turn off this check for a particular repository, you can set its gpgcheck option to 0.

To authenticate a package, its digital signature is checked. Packages are signed with encrypted digital keys that can be decrypted using the public key provided by the author of the package. This public key has to first be downloaded and installed on the encryption tool used on your system. Fedora, along with most Linux systems, uses the GNU Privacy Guard (GPG) encryption tool. To use a public key to authenticate an RPM package, you first have to install it in the RPM key database. For all RPM packages that are part of the Fedora distribution, you can use the Fedora public key, placed during installation in the /usr/share/ doc/fedora-release-7/RPM-GPG-KEY file.

You need to import the key to the RPM database before you can check Fedora packages. The first time you use Pirut to install a package, you will be prompted to import the GPG key. Once it is imported, you need not import it again. Alternatively, you can manually import the key as shown here:

rpm --import /usr/share/doc/fedora-release-7/RPM-GPG-KEY

If you have downloaded an RPM package from another site, you can also download and install its public key, with which you can authenticate that package. For example, there are public keys for both the Livna and Freshrpms Fedora Yum repositories. These are included in the Yum configuration files, which you can download and install, for instance, livna-release-7.rpm for Livna. The keys will be automatically installed along with the configuration.

Once the public key is installed, you can check the package's authentication using the rpm command with the -K option.

To see a list of all the keys you have imported, you can use the -qa option and match on the gpg-pubkey* pattern. Using rpm with the -qi option and the public key, you can display detailed information about the key. The following example shows the Fedora public key:

gpg-pubkey-4f2a6fd2-3f9d9d3b gpg-pubkey-db42a6 0e-3 7ea543 8

You can manually check just a package's integrity with the rpm command with the -K and the --nosignature options. A value called the MD5 digest measures the contents of a package. If the value is incorrect, the package has been tampered with. Some packages provide just digest values, allowing only integrity checks. In the next example, the user checks whether the freeciv package has been tampered with. The --nosignature option says not to perform authentication, doing the integrity check only.

$ rpm -K --nosignature xvidcore-1.2.0-4.lvn.i386.rpm

Continue reading here: Network Manager

Was this article helpful?