RPM Repository security for RedHat and CentOS

RPM packages are frequently organized into repositories. Generally, such repositories include groups of packages with different functions. Security is always a concern when downloading packages over the internet. If hacker penetrate the repository, you have no way of knowing which packages are genuine.

GNU Privacy Guard (GPG) key
The key is the GNU Privacy Guard (GPG) key, which is the open-source implementation of Pretty Good Privacy (PGP).
GPG keys are stored in the /etc/pki/rpm-gpg directory . In addition, the GPG key is now included in the RPM database, which can be verified with the rpm -qa gpg-pubkey command.

In this example we will install GPG key for RPMforge repository

To import GPG key

#rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
To list repository keys
#rpm -qa gpg-pubkey
To get information on specific key 
#rpm -qi gpg-pubkey-db42a60e
To delete key 
#rpm -e gpg-pubkey-db42a60e

The verification of an installed package compares information about that package

with information from the RPM database on a system.

To verify all files ( this could take very long time to complete)

#rpm --verify –a

To verify for example pwd file

#rpm --verify --file /bin/pwd or rpm -Va /bin/pwd 

More information on GnuPG - GPG available at http://www.gnupg.org/