rpmkeys - Man Page

RPM Keyring

Synopsis

rpmkeys {-K|--checksig} [options] PACKAGE_FILE ...

rpmkeys {-d|--delete|-e|--erase} [options] FINGERPRINT ...

rpmkeys {-x|--export} [options] [FINGERPRINT ...]

rpmkeys {-i|--import} [options] PUBKEY ...

rpmkeys {-l|--list} [options] [FINGERPRINT ...]

rpmkeys --rebuild [options] [rebuild-options]

Description

rpmkeys is used for manipulating the rpm keyring and verifying package digital signatures with the contained keys.

For all available operations, see Operations.

Operations

-K,  --checksig

Verify the digests and signatures contained in PACKAGE_FILE to ensure the integrity and origin of the package.

-d,  --delete,  -e,  --erase

Erase the key(s) designated by FINGERPRINT.

-x,  --export

Output the key(s) designated by FINGERPRINT using an ASCII-armor encoding.  If FINGERPRINT is not specified, output all keys.

--import

Import ASCII-armored public keys. Digital signatures cannot be verified without the corresponding public key (aka certificate).

-l,  --list

List currently imported public key(s) (aka certificates) by their fingerprint and user ID. If no fingerprints are specified, list all keys.

--rebuild

Recreate the public key storage. Update to the latest format and drop unreadable keys.

Arguments

FINGERPRINT

The handle used for all operations on the keys.

PACKAGE_FILE

An rpm package file or a manifest.

PUBKEY

An ASCII-armored OpenPGP public key (aka certificate).

Options

See rpm-common(8) for the options common to all rpm executables.

Rebuild Options

--from <fs|openpgp|rpmdb>

Use the keys from the specified backend to rebuild the currently configured keystore backend. This can be used to convert from one key storage to another.

Output

--checksig

  <_PACKAGE_FILE_>: <element> <element> <OK|NOT OK>

With --verbose:

  <_PACKAGE_FILE_>:
      <element>: <OK|NOTFOUND|BAD>
      ...

--list

  <fingerprint> <name> <userid> public key

Configuration

There are several configurables affecting the behavior of this verification, see rpm-config(5) for details:

Exit Status

On success, 0 is returned, a non-zero failure code otherwise.

Examples

rpmkeys --export 771b18d3d7baa28734333c424344591e1964c5fc | sq inspect

Export key 771b18d3d7baa28734333c424344591e1964c5fc for inspecting with sequoia-sq.

rpmkeys --erase 771b18d3d7baa28734333c424344591e1964c5fc

Erase key 771b18d3d7baa28734333c424344591e1964c5fc from the keyring.

rpmkeys -K hello-2.0-1.x86_64.rpm

Verify hello-2.0-1.x86_64.rpm package file.

See Also

popt(3), rpm(8), rpm-common(8), rpm-config(5), rpmsign(1)

rpmkeys --help - as rpm supports customizing the options via popt aliases it's impossible to guarantee that what's described in the manual matches what's available.

http://www.rpm.org/

Referenced By

rpm(8), rpmbuild(1), rpm-common(8), rpmsign(1).

2025-04-17