To ensure that the system can cryptographically verify update packages (and also connect to the Red Hat Network to receive them if desired),
run the following command to ensure that the system has the Red Hat GPG key properly installed: $rpm -q –queryformat “%{SUMMARY}\n” gpg-pubkey
The command should return the string:    gpg(Red Hat, Inc. (release key <security@redhat.com>)

To verify that the Red Hat GPG key itself has not been tampered with, its fingerprint can be compared to the one from Red Hat’s web site at http://www.redhat.com/security/team/key. The following command can be used to print the installed release key’s fingerprint, which is actually contained in the file referenced below:
$ gpg –quiet –with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
More information on package signing is also available at https://fedoraproject.org/keys.

Suggested Posts:

Leave a Reply