How to Verify RPM Package Integrity on Fedora
You downloaded a driver .rpm from a GitHub release page and ran sudo dnf install ./driver.rpm. The terminal spat out Public key for driver-1.0.rpm is not installed and refused to proceed. Or maybe you are auditing a production server and need to confirm that the kernel package hasn't been modified since it was signed by the Fedora maintainers. You need to verify the package integrity before you trust it with your system.
What's actually happening
RPM packages carry a cryptographic signature. Think of this signature as a tamper-evident seal on a sealed envelope. The Fedora Project signs every package in the official repositories with a GPG key. Your system stores copies of these keys in the trusted keyring. When you install a package, the package manager checks the signature against the keyring. If the math matches, the package is authentic and unmodified. If the math fails, the package could be corrupted or malicious. The system blocks the installation to protect you.
The verification has two parts. The digest check confirms the file content matches what was signed. The signature check confirms the key that signed the file is trusted. A broken digest means the file changed after signing. A broken signature means the key is missing, expired, or doesn't match.
The fix
Use rpm to verify signatures and file integrity. The rpm command is the low-level tool that handles the package database and cryptographic checks. dnf uses rpm under the hood for these operations.
Here's how to check a .rpm file you downloaded before you attempt to install it.
rpm -K /path/to/package.rpm
# -K checks the signature and digest without installing
# This reads the package header and validates against the local keyring
Here's how to verify a package that is already installed on your system.
rpm -K --installed firefox
# --installed tells rpm to check the package in the database
# This confirms the signature is still valid for the installed version
Here's how to inspect the files on disk to see if they have been modified since installation.
rpm -V firefox
# -V verifies the installed files against the rpm database
# This checks file sizes, permissions, checksums, and ownership
# An empty output means everything matches the database
Here's how to list the GPG keys your system currently trusts.
rpm -qa gpg-pubkey
# Lists all imported GPG keys with their fingerprints and import dates
# Useful for auditing which repositories are authorized on this system
Here's how to import a missing key when you trust the repository but the key isn't in your keyring yet.
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-custom-repo
# --import adds the key to the rpm database
# Fedora keys are usually pre-installed, third-party keys need this step
# Verify the fingerprint on the provider's website before importing
Verify it worked
Run the verification command and check the output. A successful check prints digests and signatures OK.
/tmp/package.rpm: digests and signatures OK
If you see NOT OK, do not install the package. The output will indicate which check failed.
/tmp/package.rpm: digests signatures NOT OK
A digest failure usually means the file is corrupted or was altered. A signature failure means the key is missing or invalid. Check the key fingerprint and the source of the file before proceeding.
Common pitfalls and what the error looks like
The dnf command will refuse to proceed and print Error: GPG check FAILED if the signature verification fails. This error appears when the key is missing, the key is expired, or the package signature doesn't match the key. Read the error message carefully. It often tells you exactly which key is missing.
You might see pgp NOT OK when running rpm -K. This means the GPG signature is invalid or the key is not trusted. It does not necessarily mean the package is malicious. It could be a missing key import. Check if the repository provides a key file and import it.
Do not confuse rpm -K with rpm -V. rpm -K checks the cryptographic signature. rpm -V checks the files on disk against the database. A package can have a valid signature but modified files if someone changed files after installation. Use rpm -V to detect post-installation tampering.
The rpm -V output uses single-letter flags to indicate changes. Decode these flags to understand what changed.
S: File size differs.M: Mode differs (permissions or file type).5: MD5/SHA digest differs.D: Device major/minor number mismatch.L: Symbolic link string differs.U: User ownership differs.G: Group ownership differs.T: Modification time differs.
A line starting with ..5....T. means the digest and modification time changed. This is a strong indicator of tampering or an incomplete update.
Never disable signature checking globally in /etc/dnf/dnf.conf. Setting gpgcheck=0 bypasses all cryptographic verification. This leaves your system open to malicious packages. Only disable checks in a strictly controlled offline environment where you have verified packages through other means.
SELinux does not verify RPM signatures. dnf and rpm handle signature verification. SELinux enforces access control policies. If you see SELinux denials in journalctl -t setroubleshoot, they are unrelated to GPG checks. Read the SELinux summary before disabling the policy.
Config files in /etc/dnf/ control package manager behavior. Files in /usr/lib/dnf/ ship with the package. Edit /etc/. Never edit /usr/lib/. Changes in /usr/lib/ will be overwritten on package updates.
Run journalctl -xe to see detailed logs when dnf fails. The x flag adds explanatory text and the e flag jumps to the end. Most sysadmins type journalctl -xeu dnf to filter for dnf-related errors. This helps diagnose key import failures and repository issues.
When to use this vs alternatives
Use rpm -K when you need to check the cryptographic signature of a package file or installed package. Use rpm -V when you suspect files on disk have been modified after installation. Use rpm -qa gpg-pubkey when you are auditing which keys your system trusts. Use rpm --import when you need to add a new GPG key to the trusted keyring. Use rpm -e gpg-pubkey-KEYID when you need to remove a trusted key from the system. Use dnf install with a local file when you have verified the signature and are ready to install. Stay away from gpgcheck=0 unless you are in an air-gapped environment with no other verification method.
Verify the signature before you install. Trust is earned, not assumed.