Appendix G. An Introduction to PGP

Assuming you're not the curious type and haven't flipped your way back here, you are probably here looking for some information on the program known as Pretty Good Privacy, or PGP.

PGP — Privacy for Regular People

PGP, or "Pretty Good Privacy", is a program that is intended to help make electronic mail more secure. It does this by using sophisticated techniques known as public key encryption.

If you find yourself wondering what electronic mail and making information unreadable by spies has to do with RPM, you have a good point. However, although PGP's claim to fame is the handling of e-mail in total privacy, it has some other tricks up its sleeve.

Keys your Locksmith Wouldn't Understand

As we mentioned above, PGP uses public key encryption to do some of its magic. You might guess from the name that this type of encryption involves keys of some sort. But, as you might imagine, these are not keys that you can copy down at the local hardware store. They are numbers — really large numbers. Here's what a key might look like [1] :
Version: 2.6.2


PGP uses two different types of keys: public and private. The public key, as its name suggests, can be shared with anyone. The key shown above is, in fact, a public key. The private key, as its name suggests, should be kept a secret. PGP creates keys in pairs — one private and one public. A key pair must remain a pair; if one is lost, the other by itself is useless. Why? Because the two keys have an interesting property that can be exploited in two ways:

  • A message encrypted by a given public key can only be decrypted with the corresponding private key.

  • A message encrypted by a given private key can only be decrypted with the corresponding public key.

In the case of sending messages in total privacy, the key pairs are used in the first manner. It allows two people to exchange private messages without first exchanging any "secret codes". The only requirement is that each know the other's public key.

However, for RPM, the second method is the important one. Let's say a company needs to send you a document, and you'd like to make sure it really did come from them. If the company first encrypted the file with their private key and sent it to you, you would have an encrypted file you couldn't read.

Or could you? If you have the company's public key, you should be able to decrypt it. In fact, if you can't, you can be sure that the message you received did not come from them [2] !

It is this feature that is used by RPM. By using PGP's public key encryption, it is possible to not only prove that a package file came from a certain person or persons, but also that it was not changed somewhere along the line.

Are RPM Packages Encrypted?

In a word, no. Rather than being encrypted, RPM package files possess a digital signature. This is a way of using encryption to attach a signature (again, basically a large number) to some information, such that:

  • The signature cannot be separated from the information. Any attempt to verify the signature against any other information will fail.

  • The signature can only be produced by one private key.

In the case of RPM, the information being signed is the contents of the .rpm file itself.

A digital signature is just like a regular signature. It doesn't obscure the contents of the document being signed, it just provides a method of determining the authenticity of a document. Here is an example of a digital signature turned into printable text:
Version: 2.6.3a
Charset: noconv


Do All RPM Packages Have Digital Signatures?

Again, no. In a perfect world, every .rpm file would be signed. However, RPM has no formal requirement that this be the case. There is also no requirement that you do anything special with a signed .rpm file. Think of it as an extra feature that you can take advantage of, or not — it's strictly your choice.

So Much to Cover, So Little Time

PGP has a wealth of features, 99% of which we will not cover in this book. For more information on the basics of encryption, Applied Cryptography, by Bruce Schneier, contains a wealth of information on the subject. For more details on PGP specifically, O'Reilly's PGP: Pretty Good Privacy by Simson Garfinkel is an excellent reference.

If you'd rather surf the 'Net, use your favorite World Wide Web index to hunt for "crypto" or "PGP", and you'll be in business.



When we say that keys are numbers, we aren't lying even though the example key doesn't look like a number. It has been processed so that it can be concisely displayed using only printable characters.


Or at least that it didn't make it to you unchanged.