Loading...

VONDS ©

Lab 23: Package Integrity

Back to Lab Index

Verify package authenticity and integrity before installation by checking signatures, digests, and trusted key stores. Use RPM verification tooling and Debian metadata inspection to prove you’re not installing tampered or untrusted software.

security packages troubleshooting

Scenario

You’ve been handed a package file and asked to validate it before it touches production. The task is simple: confirm the package is authentic, confirm it has not been modified, and confirm the system trusts the signing key. You will perform RPM signature verification, inspect RPM digests, and validate Debian package metadata for integrity signals.

Operator context

“It installed fine” is not a control. This workflow is how you prove provenance and integrity before you install anything on a server you care about.

Objective

  • Verify the GPG signature on an RPM package file.
  • Verify signature and digest details for an RPM using verbose verification.
  • Inspect Debian package metadata for integrity-relevant signals.
  • Identify where trusted APT repository keys are stored.
  • Import a trusted public key on an RPM-based system.

Concepts

  • Authenticity versus integrity: “signed by a trusted key” versus “bytes match what was signed.”
  • RPM signature checks rely on keys present in the RPM database; a valid signature can still be “NOKEY” if the key is not trusted locally.
  • Digest verification validates the package payload (tamper detection) independently of installation success.
  • Debian packages typically rely on repository metadata and signed Release files; local artifact inspection helps you confirm what you were handed.
  • Key import is a trust decision: verify fingerprints through an independent channel before importing.

Walkthrough

Step 1 : Verify the GPG signature on an RPM package file.
Command 
rpm --checksig vim.rpm

This checks whether the package signature and digest validate against keys trusted by the RPM database. If the key is missing or untrusted, the check may report NOKEY even if the package is signed. 

# Expected patterns:
# vim.rpm: digests signatures OK
# vim.rpm: ... NOKEY (key not imported/trusted locally)
Step 2 : Show detailed signature and digest verification for the RPM.
Command 
rpm -Kv vim.rpm

-K verifies signatures and digests and -v provides more explicit output. Use this when you need evidence for both signature validity and payload integrity. 

# Expected pattern:
# vim.rpm: ... OK
Step 3 : Inspect Debian package metadata (integrity-relevant signals).
Command 
dpkg-deb --info vim.deb

This prints control metadata (package name, version, arch, maintainer, dependencies). Pair it with repository trust checks and published hashes when validating an artifact handoff. 

# Expect metadata output including control fields.
# (Checksum fields may not appear here depending on the build.)
Step 4 : Identify where trusted APT keys live.
Paths 
/etc/apt/trusted.gpg
/etc/apt/trusted.gpg.d/

These are common legacy trust store locations for APT keys. In modern setups, you may also see per-repository keyrings referenced with signed-by= in source list entries.

Step 5 : Import a trusted RPM GPG key.
Command 
rpm --import /path/to/RPM-GPG-KEY

Importing a key is a trust decision. In real operations, you verify the key fingerprint from an independent channel before adding it to a host’s trust store. 

# Re-run verification after import:
rpm --checksig vim.rpm

Breakpoints

rpm --checksig returns NOKEY

The package may be signed, but the signing key is not present in the local RPM database. Validate the key fingerprint via an independent channel, then import the trusted key.

rpm -Kv reports BAD or NOT OK

Treat this as a hard stop. The artifact may be corrupted, incomplete, or tampered. Re-download from a trusted source and re-verify.

Debian artifact verification feels “thin”

Debian integrity is normally proven through repository trust (signed Release files) and checksums in repo metadata. Metadata inspection helps confirm you received the expected package identity, but does not replace repo signature checks.

Blind key import temptation

Importing a key because verification failed defeats the purpose. Always verify the fingerprint from a trusted source before importing.

Cleanup checklist

This lab is read-only unless you import a key. If you imported a key on a shared system, confirm it is the correct key and document the trust decision.

Commands 
# Re-verify the artifact:
rpm --checksig vim.rpm
rpm -Kv vim.rpm
Success signal

RPM verification reports signatures/digests OK and you can explain which key is trusted and why it is trusted.

Reference

  • rpm --checksig <pkg.rpm> : Verifies RPM signature and digest using trusted RPM keys.
    • --checksig : Checks signature and digest for the package file.
  • rpm -Kv <pkg.rpm> : Verifies signature and digest with more detailed output.
    • -K : Verifies signatures and digests for the package file.
    • -v : Enables verbose verification output.
  • dpkg-deb --info <pkg.deb> : Displays Debian package metadata and control fields.
    • --info : Prints control metadata for the package file.
  • rpm --import <keyfile> : Imports a public key into the RPM trust database.
    • --import : Adds the provided key to the RPM database for signature verification.
  • /etc/apt/trusted.gpg : Legacy trusted APT keyring file.
  • /etc/apt/trusted.gpg.d/ : Directory containing trusted APT keyring fragments.