A common (and commonly ignored) step when rebuilding Source RPMs from a remote archive is that of verification of the authenticity of the content. An archive maintainer may choose to sign, or to not sign RPM (and thus SRPM) content it releases. Implicitly, an archive which does sign its content provides a way for a consumer of that content, remote in time or at another site, to verify the authenticity, integrity, and provenance of that package. An earlier post discussed using GPG to verify signed content generally. Have you ever wondered what the importance of using a signing key with RPM? This article discuses how to use them to make your RPM packages more secure.

The link for this article located at orcorc is no longer available.