[WBEL-devel] About the key files in rpm package
Milan Kerslager
milan.kerslager@pslib.cz
Thu, 15 Jan 2004 21:02:42 +0100
On Wed, Jan 14, 2004 at 07:58:24PM +0800, aiic wrote:
> Hi John Morris!
>
> There are three key files in rpm-4.2.1.tar.gz : RPM-GPG-KEY, RPM-PGP-KEY and BETA-GPG-KEY.
>
> What's the use of them?
> What's the difference between RPM-GPG-KEY and RPM-PGP-KEY?
> What's the use of BETA-GPG-KEY?
> Have you replaced all of them in whitebox?
> How did you do that?
They are Red Hat's public keys.
RPM-GPG-KEY is for gpg (aka gnupg). This is 'official Red Hat security
key for regular releases'. This is current, actual key for signing RH's
products.
RPM-PGP-KEY is for pgp (PrettyGoodPrivacy), ie (commercial) predecessor
of gnupg. This is old key. You need this key to verify old packages. The
pgp program is not a part of RH Linux or Fedora anymore, it has been
replaced by gnupg.
BETA-GPG-KEY is a current key for Beta releases. This key has lower
security arrangement IMHO (for internal signing of RH's packages).
There are more keys currently to fit Fedora project's needs, see:
http://ftp.pslib.cz/pub/linux/fedora/linux/core/1/i386/os/
You probably want to import all the keys to your RPM database to be able
to verify any package, so download them and type (don't import them
twice):
rpm --import RPM-GPG-KEY RPM-PGP-KEY BETA-GPG-KEY ....
Make sure you have Morris's key too:
http://whiteboxlinux.org/pub/3.0/en/os/i386/RPM-GPG-KEY
List your rpm keys: rpm -qa | grep gpg-pubkey
List details of your keys: rpm -qi gpg-pubkey-db42a60e-37ea5438
Show what key is in the file: gpg -v RPM-GPG-KEY
--
Milan Kerslager
E-mail: milan.kerslager@pslib.cz
WWW: http://www.pslib.cz/~kerslage/