[system-administrators-guide/17] Moved the Checking a Package's Signature section to the RPM.xml file.

jhradile jhradile at fedoraproject.org
Mon Oct 22 16:27:40 UTC 2012 

commit 2a6f1b35e01d852492248fcc271051196a29286c
Author: Jaromir Hradilek <jhradilek at redhat.com>
Date:   Mon Oct 22 14:03:22 2012 +0200

    Moved the Checking a Package's Signature section to the RPM.xml file.

 en-US/RPM.xml |   53 +++++++++++++++++++++++++++++++++++++++++++++++------
 1 files changed, 47 insertions(+), 6 deletions(-)
---
diff --git a/en-US/RPM.xml b/en-US/RPM.xml
index e885d3d..09b8870 100644
--- a/en-US/RPM.xml
+++ b/en-US/RPM.xml
@@ -539,12 +539,53 @@ ghostscript-8.70-1.&PKGOS;.x86_64</screen>
       <para>If you see any output, use your best judgment to determine if you should remove the package, reinstall it, or fix the problem in another way.</para>
     </section>
   </section>
-  <!--<xi:include
-    xmlns:xi="http://www.w3.org/2001/XInclude"
-    href="RPM-Checking_Package_Signatures-RH.xml" />-->
-  <xi:include
-    xmlns:xi="http://www.w3.org/2001/XInclude"
-    href="RPM-Checking_Package_Signatures-Fedora.xml" />
+  <section
+    id="s1-check-rpm-sig">
+    <title>Checking a Package's Signature</title>
+    <indexterm>
+      <primary>RPM</primary>
+      <secondary>md5sum</secondary>
+    </indexterm>
+    <para>To verify that a package has not been corrupted or tampered with, examine the checksum by typing the following command at a shell prompt (where <replaceable>&lt;rpm_file&gt;</replaceable> is the file name of the RPM package):</para>
+    <screen><command>rpm -K --nosignature <replaceable>&lt;rpm_file&gt;</replaceable></command></screen>
+    <para>If the message <computeroutput><replaceable>&lt;rpm_file&gt;</replaceable>: sha1 md5 OK</computeroutput> (specifically the <computeroutput>OK</computeroutput> part of it) is displayed, the file was not corrupted during download. To see a more verbose message, replace <option>-K</option> with <option>-Kvv</option> in the command.</para>
+    <para>On the other hand, how trustworthy is the developer who created the package? If the package is <firstterm>signed</firstterm> with the developer's GnuPG <firstterm>key</firstterm>, you know that the developer really is who they say they are.</para>
+    <indexterm>
+      <primary>RPM</primary>
+      <secondary>GnuPG</secondary>
+    </indexterm>
+    <indexterm>
+      <primary>RPM</primary>
+      <secondary>checking package signatures</secondary>
+    </indexterm>
+    <indexterm>
+      <primary>GnuPG</primary>
+      <secondary>checking RPM package signatures</secondary>
+    </indexterm>
+    <para>An RPM package can be signed using <firstterm>GNU Privacy Guard</firstterm> (or GnuPG), to help you make certain your downloaded package is trustworthy.</para>
+    <para>GnuPG is a tool for secure communication; it is a complete and free replacement for the encryption technology of PGP, an electronic privacy program. With GnuPG, you can authenticate the validity of documents and encrypt/decrypt data to and from other recipients. GnuPG is capable of decrypting and verifying PGP 5.<replaceable>x</replaceable> files as well.</para>
+    <para>During installation, GnuPG is installed by default, which enables you to immediately start using it to verify any packages that you download from the Fedora Project. Before doing so, you first need to import the correct Fedora key.</para>
+    <section
+      id="s2-keys-importing">
+      <title>Importing Keys</title>
+      <para>Fedora GnuPG keys are located in the <filename>/etc/pki/rpm-gpg/</filename> directory. To verify a Fedora Project package, first import the correct key based on your processor architecture:</para>
+      <screen><command>rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-<replaceable>x86_64</replaceable></command></screen>
+      <para>To display a list of all keys installed for RPM verification, execute the command:</para>
+      <screen><command>rpm -qa gpg-pubkey*</command></screen>
+      <para>For the Fedora Project key, the output states:</para>
+      <screen>gpg-pubkey-57bbccba-4a6f97af</screen>
+      <para>To display details about a specific key, use <command>rpm -qi</command> followed by the output from the previous command:</para>
+      <screen><command>rpm -qi gpg-pubkey-57bbccba-4a6f97af</command></screen>
+    </section>
+    <section
+      id="s2-keys-checking">
+      <title>Verifying Signature of Packages</title>
+      <para>To check the GnuPG signature of an RPM file after importing the builder's GnuPG key, use the following command (replace <replaceable>&lt;rpm_file&gt;</replaceable> with the file name of the RPM package):</para>
+      <screen><command>rpm -K <replaceable>&lt;rpm_file&gt;</replaceable></command></screen>
+      <para>If all goes well, the following message is displayed: <computeroutput>rsa sha1 (md5) pgp md5 OK</computeroutput>. This means that the signature of the package has been verified, that it is not corrupt, and is therefore safe to install and use.</para>
+      <para>For more information, including a list of currently-used Fedora Project keys and their fingerprints, refer to <ulink url="http://fedoraproject.org/en/keys"/>.</para>
+    </section>
+  </section>
   <section
     id="s1-rpm-impressing">
     <title>Practical and Common Examples of RPM Usage</title>

More information about the docs-commits mailing list