Software Packages and GPG Signing

What GPG Package Signing Is

“GPG” as an acronym means “GNU Privacy Guard.”

It’s a play on the older and compatible but not open-source PGP – “Pretty Good Privacy.”

Both are means of digitally signing messages or other digital packages.


1: In order to use any keys you must first get them, then import them. Get the Fedora key from:

See the Fedora GPG Keys page for details ( Change directories to the directory containing the key.

Note that a key also has a fingerprint, distributed as either a file or a simple text string that you save to a file. The fingerprint of the [email protected] key is:

CAB4 4B99 6F27 744E 8612 7CDF B442 69D0 4F2A 6FD2



-Assignment: see Gstreamer for an example of how to confirm a key using a fingerprint. (We’re only interested in Step 2.)

(How can a public key be distributed like this and still provide security?)

-Assignment: see the man page on wget for instructions on this simple ftp program


3: Now, working in a terminal in the directory containing the key and the fingerprint (saved as a text file), and using the Gstreamer site as an example, issue this command:

gpg –with-fingerprint RPM-GPG-KEY-fedora | head -n 3 | diff – fingerprint

The final diff command had better not show any “difference!” If it does the key is suspect. Get it again, or get the heck out.


Importing Keys

It is essential to ease-of-use that you be working in a terminal in the directory containing the key. When you download a key, go to the directory containing the key.

Now you can issue an import command:

Red Hat 7.x
gpg –import <keyfile>

Red Hat 8.0 and later (including Fedora)
rpm –import <keyfile>

Now that you’ve done this, packages from the Fedora/Red Hat (.com) repository will be accepted without complaint (under most circumstances). If you accept packages from other repositories, you’ll need their keys as well (and you’ll need to import them).

Assignment: Go to FreshRPMs and install their package-management configuration package: