Verify Signatures Using GPG
- GnuPG is an Open Source alternative to Pretty Good Privacy (PGP) by Phil Zimmermann.
- GnuPG can be obtained from http://www.gnupg.org/.
- Most Linux distributions come with GnuPG installed by default.
- Verifying signatures using GPG is more reliable than MD5, but requires more work.
- Obtain a copy of MySQL AB's public GPG build key.
- Import the build key into the public GPG keyring.
- the import command looks like this:
gpg --import mysql_pubkey.asc
- Download the desired MySQL package and the corresponding signature.
- The signature file has the same name as the distribution file with an
.asc extension.
- For example:
| Distribution file | mysql-standard-5.0.40-linux-i686.tar.gz |
| Signature file | mysql-standard-5.0.40-linux-i686.tar.gz.asc |
- Store both files in the same directory.
- Run the following command to verify the signature for the distribution file:
gpg --verify mysql_pubkey.asc
- A good signature message indicates everything is all right.
- The insecure memory warning may be ignored if it shows up.
How do I perform signature checking using RPM?
© 2007 John Michael Pierobon
Notes
![[OUTLINE]](../images/index.gif)
![[PREVIOUS]](../images/back.gif)
![[NEXT PAGE]](../images/next.gif)
![[CHAPTER 1]](../images/up.gif)