RHEL / CentOS / Fedora: Verify GPG Key For Package Update

How do I verify that the system using correct GPG keys to verify all patches, packages and update installed from RHN or repo under RHEL 5 or 6 server operating systems?

All packages can be cryptographically verified using the rpm / yum and gpg command itself. You need to use /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release file. All packages from RHN or 3rd party Fedora Linux repo are signed with a GPG signature. The yum command will verify these signatures and refuse to install any packages that are not signed or have bad signatures. This make sure that the packages from RHN was provided by the Red Hat, Inc and have not been modified by anyone else.

Verify Installed Keys

To verify that the keys installed on your RHEL server system match the key listed here, use GnuPG to check that the fingerprint of the key matches:
# gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Sample outputs:

pub  4096R/FD431D51 2009-10-22 Red Hat, Inc. (release key 2) 
      Key fingerprint = 567E 347A D004 4ADE 55BA  8A5F 199E 2F91 FD43 1D51
pub  1024D/2FA658E0 2006-12-01 Red Hat, Inc. (auxiliary key) 
      Key fingerprint = 43A6 E49C 4A38 F4BE 9ABF  2A53 4568 9C88 2FA6 58E0

If you use Fedora Linux packages, see this page for more information. If you use CentOS Linux packages, go here for more information.

How Do I Make Sure That the System Has the Red Hat GPG Key Installed?

Type the following command:
# rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
Sample outputs (should match as follows - taken from RHEL v6.1 - Santiago):

gpg(Red Hat, Inc. (release key 2) )
gpg(Red Hat, Inc. (auxiliary key) )

• Tweet
• 

If you would like to be kept up to date with our posts, you can follow us on Twitter, Facebook, Google+, or even by subscribing to our RSS Feed.