Verify an RPM package

RPM packages include an embedded signature, which you can verify after importing the Puppet public key.

1. Import the public key: gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-key 4528B6CD9E61EF26

   If this is your first time running the gpg tool, it might fail to import the key after creating its configuration file and keyring. You can run the command a second time to import the key into your newly created keyring.

   The gpg tool imports the key:

   gpg: /home/username/.gnupg/trustdb.gpg: trustdb created
   gpg: key 4528B6CD9E61EF26: public key "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>" imported
   gpg: Total number processed: 1
   gpg:               imported: 1

2. Verify the fingerprint: gpg --list-key --fingerprint 4528B6CD9E61EF26

   The fingerprint of the Puppet release signing key is D681 1ED3 ADEE B844 1AF5 AA8F 4528 B6CD 9E61 EF26. Ensure the fingerprint listed matches this value.

3. Retrieve the Puppet public key and place it in a file on your node.
4. Use the RPM tool to import the public key, replacing <PUBLIC KEY FILE> with the path to the file containing the public key: sudo rpm --import <PUBLIC KEY FILE>

   The RPM tool doesn’t output anything if the command is successful.

5. Use the RPM tool to check the signature of a downloaded RPM package: sudo rpm -vK <RPM_FILE_NAME>

   The embedded signature is verified and displays OK:

    puppet-agent-1.5.1-1.el6.x86_64.rpm:
        Header V4 RSA/SHA512 Signature, key ID EF8D349F: OK
        Header SHA1 digest: OK (95b492a1fff452d029aaeb59598f1c78dbfee0c5)
        V4 RSA/SHA512 Signature, key ID EF8D349F: OK
        MD5 digest: OK (4878909ccdd0af24fa9909790dd63a12)