To use RPM's PGP-related capabilities, you'll need to have PGP installed on your system. If it's installed already, you should be able to flip to the chapters on verifying package signatures and signing packages and be in business in a matter of minutes. Otherwise, read on for a thumbnail sketch of what's required to install PGP.
The first step in being able to verify .rpm files is to get a copy of PGP. Unfortunately, this is not quite as simple as it might sound. The reason is that PGP is very controversial stuff.
Why the controversy? It centers on PGP's primary mission — to provide a means of communicating with others in complete privacy. As we've discussed, PGP uses encryption to provide this privacy. Good encryption. Very good encryption. Encryption so good, it appears some of the world's governments consider PGP a threat to their national security.
Various countries have differing stances on the use of "strong encryption" products such as PGP. In some countries, possession of encryption software is strictly forbidden. Other countries attempt to control the flow of encryption technology into (or out of) their country. It is vital you know your country's laws, lest you find yourself in prison, or possibly in front of a firing squad!
Over and above PGP's legal status, there are other aspects to PGP that people living in the U.S. and Canada should keep in mind:
PGP is free — for non-commercial use only. If you are going to use PGP for business purposes, you should look into getting a commercial copy. PGP is marketed in the United States by:
Pretty Good Privacy, Inc.
2121 S. El Camino Real
San Mateo, CA 94403
Part of the software that comprises PGP is protected by several United States patents. Versions of PGP approved for use in the U.S. contain a licensed version of this software, known as RSAREF. RSAREF includes a patent license that allows the use of the software in noncommercial settings only. Commercial use of the technology contained in RSAREF requires a separate license. This is one reason why there are restrictions on the commercial use of PGP in the United States and Canada.
While people outside the U.S. and Canada can use RSAREF-based PGP, they will probably choose the so-called "international" version. This version replaces RSAREF with software known as MPILIB. MPILIB is, in general, faster than RSAREF, but it cannot legally be used in the United States or Canada.
To summarize, if you are using PGP for commercial purposes in the U.S. or Canada, you'll need to purchase it. Otherwise, people living in the U.S. or Canada should use a version of PGP incorporating RSAREF. People in other countries can use any version of PGP they desire, though they'll probably choose the MPILIB-based "international" version  .
The official source for the latest version of PGP based on RSAREF is the Massachusetts Institute of Technology. Due to the restrictions on the export of encryption technology, the process is somewhat convoluted. The easiest way to obtain PGP from the official MIT archive is to use the World Wide Web. Point your web browser at:
Simply follow the steps, and you'll have the necessary software on your system in no time.
There is a more cumbersome method that doesn't use the Web. It involves first using anonymous ftp to obtain several files of instructions and license agreements. You will then be directed to use telnet to obtain the name of a temporary ftp directory containing the PGP software. Finally, you can use anonymous ftp to retrieve the software. To start this process, ftp to:
Then change directory to:
Obtain a copy of the file README and follow the instructions in it exactly.
If all this seems like too much trouble, there is another alternative. You can find copies of PGP on just about any BBS, FTP, or Web site advertising freely available software. Be aware, however, that "Floyd's Storm Door and BBS Company" may not be as trustworthy a place as MIT to obtain encryption software. It's really a question of how paranoid you are.
For people living in other countries, it is much easier to find PGP (depending on the legality of encryption software, of course). Try any of the places you'd normally look for free software. Keep in mind, however, that you shouldn't download PGP from any sites in the U.S. Doing so is considered an "export" of munitions, and can get the people responsible for the site in deep trouble. Wherever you eventually get PGP from, since the patents that complicate matters for the U.S. do not apply abroad, you'll probably end up with the "international" versions of PGP.
Building PGP is mostly a matter of following instructions. However, users of ELF-based Linux distributions (Such as Red Hat Linux) will find that PGP will not build. The problem, according to the PGP FAQ, is that two files do not properly handle the C preprocessor directives that affect support for ELF. The changes are to two files: 80386.S and zmatch.S. Near the beginning of each, you'll find either a #ifndef or a #ifdef for SYSV. If you find:
It should be changed to read:
#if !defined(SYSV) && !defined(__ELF__)
If you find:
It should be changed to read:
#if defined(SYSV) || defined(__ELF__)
After making these changes, PGP should build with no problems.
After building and installing PGP, you're ready to start using RPM's package signature capabilities. If your primary interest is in checking the signatures on packages built by someone else, Chapter 7 will tell you everything you need to know.
On the other hand, if you are a package builder and would like to start signing packages, Chapter 17 will have you signing packages in no time.
Note that there are no commercial restrictions regarding PGP in countries other than the U.S. and Canada.