10. Using GPG signatures

apt has gpg support, so you may want to use this to make sure that you're getting genuine packages (or, if you're a GNU/Linux vendor, you want to provide this benefit to your users) from your vendor.

apt has no support for PGP, so don't waste your time trying to use it.

The sources.list syntax has to be changed for this to work.

    rpm [gpg-id] uri distribution component [component ...]

The gpg-id[1] is the one used by the vendor to sign its packages. In fact it is a pointer to the last part of the vendor's key fingerprint available at the vendors.list file.

Example 4. vendors.list

    # Trusted Package Provider List
    # This file contains the list of package providers (vendors or individuals)
    # from whom packages you trust. 
    cncbr   E368DDD099807190 "Conectiva S.A. <security@conectiva.com.br>"

After doing this change, I mean, introducing the [gpg-id] field, you'll have to make sure that you have your vendor's public key in your gpg keyring.

Example 5. Importing gpg keys

    # gpg --import file-with-key

At Example 5, file-with-key is (you'll never guess that) a file with your vendor's public gpg key.

This command will import your vendor's key at the root keyring (since only root can install, removes or manipulate packages, it would make no sense to import this key on any other user's keyring).



The brackets at the source.list file must be there.