Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 09-04-2009, 12:43 AM   #1
Registered: May 2007
Posts: 146

Rep: Reputation: 18
basic public key questions

Hi there
I was given to understand that public keys were used by people to encrypt messages and that they are decrypted using a private key.When i added freshrpms as a repository for a friend who has linpus linux lite(based on fedora 8)They said i needed a public GPG key.
Why do i need the keys used to sign the packages if public keys are used to encrypt messages?.
Also at freshrpms it says to download the RPM-GPG-KEY-freshrpms then do:
#rpm --import RPM-GPG-KEY-freshrpms
#rpm --import /usr/share/doc/fedora-release-*/RPM-GPG-KEY-fedora
All i did was something like:
#rpm --import
and things worked.
Was there an error in my proceedure?.Are there security problems that could arise from me doing other than they said at fresh rpms?. If so what?.If what i did was imcomplete what does it mean in terms of what is missing and what i should do next? What should i do next when advise him on repos and stuff?.What is the command to download RPM-GPG-KEY-freshrpms?.
Do the other default repositories on linpus need public keys downloading and importing too?
Sorry for so many questions but i'm new to pulic keys and encryption so any answers would be great.Thank you for your time
Old 09-04-2009, 12:48 AM   #2
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
The (repos) public key is used to verify the signature on the packages by the repo's private key.

At some point, you're suppose to validate the fingerprint on the repo's public key. The only way to do that is to view what the repo says is the fingerprint, over a secure connection (ssl) to the repo's site (otherwise it could be tampered with in transit). Another way, is to trust someone else's signature on the key (that has done the validation for you) but that typically doesn't happen in a case like this. (I'm just sayin).

At some point when you install some packages, you'll get a prompt to validate the keys fingerprint...

P.S. In case I didnt use enough parentheses, here's some more().


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Public key, private key explained calande Linux - Security 3 06-12-2008 05:23 AM
Revoking GPG key with only passphrase and public key djib Linux - Security 2 03-13-2007 03:20 AM
public key not available? buwaleed Debian 4 01-04-2006 04:52 PM
GPG Data, Secret Key but no Public Key? Aeiri Linux - Software 5 07-20-2004 06:00 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:14 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration