how to?: verify download .rpm versus your GPG public key; in ruby query klayout-version string

First, in a klayout ruby script, how to get the klayout-version as a string (similar as, but without launching a subprocess: klayout -b -v)?

Second, on download GPG public key usage, I must be doing it wrong. When I import your GPG public key, and query keys in rpm-db before/after I can see "a" new key. Using centos-7.

# diff /tmp/{old,new}keys
> gpg-pubkey-3785d040-59bcd300

but the Signature field of the downloaded rpm says none, and when using checksig, there is no GPG mention in the output (no change to checksig output before/after importing your GPG public key into the rpm-db). Below I try to dump sigs of a sampling of other releases.
Thank you.

# rpm --checksig klayout-0.26.11-0.x86_64.rpm
klayout-0.26.11-0.x86_64.rpm: sha1 md5 OK
# rpm -qpi klayout-0.26.11-0.x86_64.rpm | grep ^Signature
Signature   : (none)
# md5sum klayout-0.26.11-0.x86_64.rpm
ad0dfb8a98c0368b429fdbf975befd57  klayout-0.26.11-0.x86_64.rpm

# ls -v *.rpm | xargs -n 1 -t rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p
rpm -q --qf %{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n -p klayout-0.24.10-1.1.x86_64.rpm
warning: klayout-0.24.10-1.1.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID e8e680f0: NOKEY
klayout-0.24.10-3.1 (none) DSA/SHA1, Sat Apr  1 11:05:08 2017, Key ID 8c465e9ae8e680f0
rpm -q --qf %{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n -p klayout-0.26-0.x86_64.rpm
klayout-0.26-0 (none) (none)
rpm -q --qf %{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n -p klayout-0.26.3-0.x86_64.rpm
klayout-0.26.3-0 (none) (none)
rpm -q --qf %{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n -p klayout-0.26.8-0.x86_64.rpm
klayout-0.26.8-0 (none) (none)
rpm -q --qf %{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n -p klayout-0.26.11-0.x86_64.rpm
klayout-0.26.11-0 (none) (none)


  • Hi,

    the version you can obtain with (Python):


    Regarding the GPG key, RPMs are not signed currently due to a shift in the build strategy. I don't want to distribute my private key to open servers. You should build from source if you want to ensure integrity.


Sign In or Register to comment.