Before using rpm's --checksig option, you need to obtain the public key of the person/institution that signed the package. You can get the pubic key from the offical web site (and assume it's not been hacked), from an e-mail, from a pgp keyserver, or where ever. (Once you do, you can use the key's fingerprint to verify the key with a trusted source and then you can sign the key and so record how much trust you have in the key. How far you want to go depends on how paranoid you are and how much you want to participate in the "web of trust.")
Here's an example, to be able to check the signature of packages signed by RedHat Inc.:
Go to:
http://www.redhat.com/about/contact/pgpkey.html
and obtain redhat's pgp key. Let's say you download
http://www.redhat.com/about/contact/redhat.asc
and put it in a file named
redhat.asc
Save the key into your personal public keyring with (note $ is the command prompt):
$ gpg --import redhat.asc
$ gpg --list-keys
You can now get rid of redhat.asc:
$ rm -f redhat.asc
OR, you can get a key from a public keyserver. First find the key you need:
$ rpm --checksig xsane-0.61-3.i386.rpm
xsane-0.61-3.i386.rpm: md5 (GPG) OK (MISSING KEYS: GPG#DB42A60E)
Get the key:
$ gpg --keyserver wwwkeys.pgp.net --recv-keys DB42A60E
$ gpg --list-keys
Now, if a package has been signed by redhat:
$ rpm --checksig xsane-0.61-3.i386.rpm
xsane-0.61-3.i386.rpm: md5 gpg OK
you won't get a complaint about a missing gpg key.
See:
http://www.gnupg.org
Regards,
Karl O. Pinc
