Linux Package Signing and Verification: gpg, sha256sum, and rpm --checksig

Linux RSH NETWORK February 03, 2026 1 min read

Learn how to verify the authenticity and integrity of Linux packages using gpg, sha256sum, and rpm --checksig.

Back to Blog Posts

πŸ›‘οΈ Why Package Verification Matters

Verifying packages ensures:

  • Authenticity: Confirm the source is trusted

  • Integrity: Detect tampering or corruption

  • Security: Prevent malicious code injection

πŸ” Verifying with GPG

Import public key:
bash
gpg --import public.key

  •  

Verify signature:
bash
gpg --verify package.tar.gz.sig package.tar.gz

  •  

List keys:
bash
gpg --list-keys

  •  

πŸ” Checking Hashes with sha256sum

Generate hash:
bash
sha256sum package.tar.gz

  •  

Compare with published hash:
bash
diff <(sha256sum package.tar.gz) expected_hash.txt

  •  

πŸ“¦ RPM Signature Check

Verify RPM package:
bash
rpm --checksig package.rpm

  •  

  • Output will show if the package is signed and valid

🧠 Pro Tips

  • Always download keys from trusted sources

  • Use gpg --recv-keys with keyserver for automation

  • Use sha256sum -c to verify multiple files at once

Visit our website to learn more πŸ‘‰ https://rshnetwork.com/

Advertisement

R
RSH NETWORK

33 posts published

Sign in to subscribe to blog updates