Fedora Logotext

How does Fedora Project use GPG keys to sign packages?

Each stable RPM package that is published by Fedora Project is signed with a GPG signature. By default, dnf and the graphical update tools will verify these signatures and refuse to install any packages that are not signed or have bad signatures. You should always verify the signature of a package before you install it. These signatures ensure that the packages you install are what was produced by the Fedora Project and have not been altered (accidentally or maliciously) by any mirror or website that is providing the packages.

Packages that can be downloaded from Koji build system do not contain signatures, so you should use them with caution. Similarly, bleeding-edge packages in Rawhide are not necessarily signed.

Importing keys

The keys are included in the fedora-release package, you can find them in the /etc/pki/rpm-gpg directory. Please note that not all keys in this directory are used by Fedora project -- some are used for signing Red Hat Enterprise Linux packages or are no longer used at all. If you use Red Hat Enterprise Linux packages, see https://www.redhat.com/security/team/key. The keys used by Fedora are enabled in the dnf repository configuration, so you generally don't need to manually import them into the rpm database.

In addition to the fedora-release package and this web page, you can download the Fedora keys from a public key server, such as keys.gnupg.net.

For some repositories, such as repositories with stable and testing packages in default configuration, dnf is able to find a proper key for the repository and asks the user for confirmation before importing the key if the key is not already imported into the rpm database.

You can always import a key into RPM's database by hand using the following command:

rpm --import PUBKEY ...

Refer to rpm manual for more information.

If you want to verify that the keys installed on your system match the keys listed here, you can use GnuPG to check that the fingerprint of the key matches. For example:

$ gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-11-primary
pub  4096R/D22E77F2 2009-01-19 Fedora (11) <fedora@fedoraproject.org>
      Key fingerprint = AEE4 0C04 E345 60A7 1F04  3D7C 1DC5 C758 D22E 77F2