Loading...

VONDS ©

Lab 23: GPG and RPM/DPKG Verification

Lab Index

Verify package authenticity and integrity before installation by checking GPG signatures, digests, and trusted key stores. Use RPM verification tooling and Debian metadata inspection to prove you’re not installing tampered or untrusted software.

security packages troubleshooting

Scenario

You’ve been handed a package file and asked to validate it before it touches production. The task is simple: confirm the package is authentic, confirm it has not been modified, and confirm the system trusts the signing key. You will perform RPM signature verification, inspect RPM digests, and validate Debian package metadata for integrity signals.

Operator context

“It installed fine” is not a control. This workflow is how you prove provenance and integrity before you install anything on a server you care about.

Objective

  • Verify the GPG signature on an RPM package file.
  • Verify signature and digest details for an RPM using verbose verification.
  • Inspect Debian package metadata for checksum information.
  • Identify where trusted APT GPG keys are stored.
  • Import a trusted public key on an RPM-based system.

What You’ll Practice

  • RPM signature verification with rpm --checksig.
  • Combined signature + digest verification with rpm -Kv.
  • Debian package metadata inspection using dpkg-deb --info.
  • Locating trusted APT key material under /etc/apt.
  • Trust bootstrapping on RPM systems with rpm --import.

Walkthrough

Step 1 : Verify the GPG signature on an RPM package file.
Command 
rpm --checksig vim.rpm

This checks whether the package signature and digest validate against keys trusted by the RPM database. If the key is missing or untrusted, the check will fail even if the package was signed. 

# Expected pattern:
# vim.rpm: ... OK
Step 2 : Show detailed signature and digest verification for the RPM.
Command 
rpm -Kv vim.rpm

-K verifies the package, and -v makes the verification output more explicit. This is useful when you need to demonstrate both signature validity and digest integrity. 

# Expected pattern:
# vim.rpm: ... OK
Step 3 : Inspect Debian package metadata (checksum signals).
Command 
dpkg-deb --info vim.deb

This prints package metadata and control fields. In controlled environments, you use this alongside repository signatures and published hashes to validate you received the expected artifact. 

# Expect metadata output including package size/control info.
# If present in this build, look for checksum-related fields.
Step 4 : Identify where trusted APT keys live.
Paths 
/etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/

These are common legacy locations for trusted APT keys. In practice, you should understand where your distro stores trust and how new repos are configured so you can audit changes and avoid blind imports.

Step 5 : Import a trusted RPM GPG key.
Command 
rpm --import /path/to/RPM-GPG-KEY

Importing a key is a trust decision. In real operations, you verify the key fingerprint from an independent channel before you add it to a host’s trust store. 

# Re-run verification after import:
rpm --checksig vim.rpm

Reference

  • rpm --checksig <pkg.rpm> : Verifies RPM signature and digest using trusted RPM keys.
  • rpm -Kv <pkg.rpm> : Verifies signature and digest with more detailed output.
  • dpkg-deb --info <pkg.deb> : Displays Debian package metadata and control fields.
  • /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/ : Common APT trust stores for repository keys.
  • rpm --import <keyfile> : Imports a public key into the RPM trust database for signature verification.