Verifying Package Signatures
Most packages are signed by their packagers using a cryptographic key. This is to ensure that the package has not been modified between the time it was packaged and the time you received it. It also ensures that the package was created by the person who claims to have created it. GNU Privacy Guard (GPG) is used to sign the packages. For more detailed information on GPG, see Chapter 25, "Email Clients and Servers."
A distribution's public keys are generally available on the CD in a file called pgp-keys or something similar. To install these keys into your keyring, type the following on an OpenLinux system:
$ for file in /mnt/cdrom/col/pgp-keys/PGP-*; do gpg --import $file; done
Then, to check packages that claim they ...
Get Special Edition Using Linux®, Sixth Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.