The RPM Command Line Tool | Beginning Fedora 2

Up to now, we ve talked about how to install and remove packages using Red Hat s graphical RPM Package Management Tool. While this tool is simple to use, it s lacking in functionality. For example:

It cannot install packages using network, FTP, or HTTP connections.
It does not show the location the files in a package are installed to.
It lacks the capability to query for specific packages installed on the system.
It does not provide full details of the RPM package, such as the vendor, build date, signature, description, and so on.
It does not have a function to verify a package. That means it cannot compare information about files, such as size , MD5 sum, permissions, type, owner, and group installed from a package, with the same information from the original package.
It does not show all the packages available in a product. So you won t always know if you ve got the whole thing.

The RPM Command Line Interface Tool provides a solution to the package manager s limitations. RPM is very versatile and can be used to manipulate packages in a number of ways. The remainder of this section looks at some of the most common tasks you re likely to want to perform, and considers how best to do them.

Note	Complete details of all RPM s options can be found by typing man rpm at the command prompt; because there are so many options, only the most common are covered here.

Querying Packages

Let s begin by discussing querying packages. RPM keeps a record of all the packages installed on your system in a database. By querying the database you obtain a complete list of all the packages that you ve installed on your system. Should you want to, you can then go further and query each individual package for more details about it.

The syntax for a basic query is as follows :

   rpm q [options] <filename>

Try It Out Querying RPM for Information About a Package

Open a terminal window (by selecting Main Menu>System Tools>Terminal).
Only a user with root privileges can perform RPM package operation. So, if you re not logged in as root, do so now, by using the su command:
```
   $ su   Password: # 
```
Change to the packages directory of CD 1 in your Fedora by inserting the CD and typing the following, once it has mounted:
```
   # cd /mnt/cdrom/Fedora/RPMS/   
```

Now, let s find the information for the Lynx package (Lynx is a text-based browser). To do this, type the following at the command line:

   # rpm -qip lynx-2.8.5-15.i386.rpm

Here, -qip represents the command options (discussed in more detail shortly), and lynx-2.8.5-15.i386.rpm is the RPM package file we re interested in. After a short while, you should see the following response:

Warning

lynx-2.8.5-15.i386.rpm: V3 DSA signature: NOKEY, key ID 30c9ecf8

 Name        : lynx                         Relocations: (not relocatable) Version     : 2.8.5                             Vendor: Red Hat, Inc. Release     : 15                            Build Date: Tue 17 Feb 2004 19:57:12 GMT Install Date: (not installed)               Build Host: tweety.devel.redhat.com Group       : Applications/Internet         Source RPM: lynx-2.8.5-15.src.rpm Size        : 4841340                          License: GPL Signature   : DSA/SHA1, Wed 17 Mar 2004 19:19:55 GMT, Key ID da84cbd430c9ecf8 Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL         : http://lynx.isc.org/ Summary     : A text-based Web browser. Description : Lynx is a text-based Web browser. Lynx does not display any images, but it does support frames, tables, and most other HTML tags. One advantage Lynx has over graphical browsers is speed; Lynx starts and exits quickly and swiftly displays webpages.

Note	Notice the warning in the first line? We ll explain it later in the chapter, when we cover verification.

You can use this information to make sure you re installing what you think you re installing and to check that you ve got the right version of software.

You can also use RPM to query a specific package installed on the system. Issue the following command as root:

   rpm qi lynx

Here, -qi represents the command options, and lynx is the RPM package filename we re interested in. After a short while, you should see the following response:

 Name        : lynx                         Relocations: (not relocatable) Version     : 2.8.5                             Vendor: Red Hat, Inc. Release     : 15                            Build Date: Tue 17 Feb 2004 19:57:12 GMT Install Date: Sat 15 May 2004 02:28:55 BST      Build Host: tweety.devel.redhat.com Group       : Applications/Internet         Source RPM: lynx-2.8.5-15.src.rpm Size        : 4869832                          License: GPL Signature   : DSA/SHA1, Wed 17 Mar 2004 19:19:55 GMT, Key ID da84cbd430c9ecf8 Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL         : http://lynx.isc.org/ Summary     : A text-based Web browser. Description : Lynx is a text-based Web browser. Lynx does not display any images, but it does support frames, tables, and most other HTML tags. One advantage Lynx has over graphical browsers is speed; Lynx starts and exits quickly and swiftly displays webpages.

Now issue the following command (still as root):

   # rpm -qa

This command makes a query for all the packages that are installed on your system; you should get something like this in response:

 setup-2.5.31-1 tzdata-2003d-1 bzip2-libs-1.0.2-10 e2fsprogs-1.35-4 .... switchdesk-gnome-3.9.8-18 nautilus-media-0.5.2-1 gpg-pubkey-4f2a6fd2-3f9d9d3b lynx-2.8.5-15

Here s another example. You are likely to encounter situations in which you need to know about the package that owns a particular command on the system. For example, let s find out which package owns the command /usr/bin/lynx . To do this, type the following at the command line:
```
   # rpm -qf /usr/bin/lynx   
```
You should get the following response:
```
 lynx-2.8.5-15 
```
The lynx-2.8.5-15 package is used by the system whenever a user calls the command /usr/bin/lynx .

Finally, RPM also provides a command that allows you to get a list of all files contained in an RPM package. Let s find out what files are contained in a lynx package. Type the following:

   # rpm -ql lynx

Here s the response you should get:

 /etc/lynx-site.cfg /etc/lynx.cfg /etc/lynx.cfg.cs /etc/lynx.cfg.ja /etc/lynx.cfg.sk /usr/bin/lynx ...... /usr/share/locale/sl/LC_MESSAGES/lynx.mo /usr/share/locale/sv/LC_MESSAGES/lynx.mo /usr/share/man/man1/lynx.1.gz

How it works

When you query an RPM package file using RPM command line options, it displays the information such as name, version, release, group, summary, and description of the package. The exact type of query and the format of the resulting output depend on the command options that you specify:

All five of the queries in the preceding example used -q . The q is to indicate that you re making a query.
Steps 4 and 5 used -qip . The p indicates that you are querying a package, and the i indicates that you want to see the package information.
In Step 6, we used -qa . That indicates that you are querying all currently installed packages.
In Step 7, we used -qf . The f indicates that you wish to query the package that owns the specified file.
In Step 8, we used -ql . The l indicates that you wish to query the list of files contained in the specified package.

RPM Package Security

RPM has had a number of releases over the years , and the latest versions (one of which is bundled with your system) have a few new features. One new feature of interest is that RPM now checks the signature of a package when querying, installing, or upgrading it.

Checking the signature of a package allows you to ensure that it is from a trustworthy source. All official Red Hat packages are signed by Red Hat using its GnuPG key, and RPM checks the package s GnuPG signature against the Red Hat GnuPG key to make sure the package is what it claims to be. If you do not have an appropriate key installed to verify the signature, you will get a warning message such as the following:

Warning

lynx-2.8.5-15.i386.rpm: V3 DSA signature: NOKEY, key ID 30c9ecf8

The exact content of the warning message depends on the situation. For example, if RPM cannot verify the package s GnuPG signature, you will see the following error message:

 error: V3 DSA signature: BAD, key ID 30c9ecf8

By contrast, if RPM cannot find the appropriate key to verify the signature of a package, you get this warning:

Warning

V3 DSA signature: NOKEY, key ID 30c9ecf8

Note

GnuPG signatures are digital signatures that are very hard to forge . Signatures are created with a unique secret key and can be verified by their recipient using a public key. A digital signature timestamps a document so that if anyone tries to tamper with it or modify it, the verification of the signature fails.

Fedora GNU Privacy Guard Keys

To install Red Hat s GNU Privacy Guard (GPG) keys on your installed system, issue the following command:

   # rpm --import /usr/share/rhn/RPM-GPG-KEY-fedora-test

Or, use the following to install them from CD-ROM (make sure you ve got the right one in the drive):

   # rpm --import /mnt/cdrom/RPM-GPG-KEY-fedora-test

These commands install Red Hat s public GPG keys onto your system. You can also import other vendors GnuPG keys in much the same way; just change the name of the file to the one that they ve supplied to you.

To display a list of all GnuPG keys installed for RPM package verification on your system, issue the following command:

   # rpm -qa gpg-pubkey   gpg-pubkey-4f2a6fd2-3f9d9d3b gpg-pubkey-1cddbca9-3f9da14c gpg-pubkey-30c9ecf8-3f9da3f7 gpg-pubkey-db42a60e-37ea5438

This will return a list of results. If you ve installed the Fedora key, you should see the following listed among the results:

   gpg-pubkey-30c9ecf8-3f9da3f7

You can get even more complete details of a Red Hat GPG key by executing the following command:

   # rpm -qi gpg-pubkey-30c9ecf8-3f9da3f7

Note	In the preceding command, note that gpg-pubkey-30c9ecf8-3f9da3f7 is the name of the Fedora GnuPG key, gathered from the output of the command rpm -qa gpg-pubkey .

This produces the following response ”quite detailed isn t it? Most importantly, it reveals the vendor s name and signing date, which is handy if you ve got a key on your system but you aren t sure who it s from, or if it is still up-to-date:

Name : gpg-pubkey Relocations: (not relocatable)

 Version     : 30c9ecf8                          Vendor: (none) Release     : 3f9da3f7                      Build Date: Sat 13 Mar 2004 00:20:37 GMT Install Date: Sat 13 Mar 2004 00:20:37 GMT      Build Host: localhost Group       : Public Keys                   Source RPM: (none) Size        : 0                                License: pubkey Signature   : (none) Summary     : gpg(Fedora Project (Test Software) <rawhide@redhat.com>) Description : -----BEGIN PGP PUBLIC KEY BLOCK----- Version: rpm-4.3 (beecrypt-3.0.0)   mQGiBD+do/cRBACAF7Gv91v32uUrT4nZe+qKgLl59HmtvmaOzT4lInrF95Sget7p2TpnIqh5 H0x0VGpdoeNfHvlXCw+aP50mTJv91BYmLfelkTzokqpEU5YpqGOqa5BVjelnoK1VKOcXMB28 d79Gz9tn7friZN4SnyWbcSIA4C3dHNhsjifIYf0rywCg3y193N6jODa0VSGeeEb4whE2xccD /i/rqk0MQmW6td2Dz2jTBaHxyf7FIcH18YDtwraDotBRxqGkTVyFGc1q7ZTrRsbzdjIfxbp2 C6GT2VJ5kHuRm9jf7JdW5fOhun+oLimRerTlrPmgz8qQRcqUm6fkmUsYufL1u7DdyfxX7jI2 ngkbAR+CsZ8Cj5JhBMeAXc/DWWhPA/4mzZ70hn1OrGLokzxNr4O7u1+n0thsxGN0qfuTNGIc 09UKCoAN42he7QjskIqiE7gLtLzx8elxVOK19tNcaAiLoqmtxlLQqB03pLy4V0tMP9QcWQET bc67qTd1zASiefGjf364j4lQd+X9AqdyhUrnax3UgPD5IxilBp92Cw7Qi7QzRmVkb3JhIFBy b2plY3QgKFRlc3QgU29mdHdhcmUpIDxyYXdoaWRlQHJlZGhhdC5jb20+iFsEExECABsFAj+d o/cGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQ2oTL1DDJ7Pgh8QCgqNNsb7xdW+UhzyZw+DEA QF6e+q4AmwVus4u9REyd/aigK2RvrdtcsNy0iEYEExECAAYFAj+dpBoACgkQtEJp0E8qb9Ji 4QCfanY0CXnRwtBnm8GEMRNqgfGgcc0AnRunlejpJRxGPaRsmY/11stYll32iEYEEBECAAYF Aj+e2SIACgkQKdW6JI31bQWWNQCfTKcX/7lerpwIVHcAILDduz9qxssAn1t46ERJ9EqsxJxS FlN7oBPyNkt6 =R9He -----END PGP PUBLIC KEY BLOCK-----

Verifying Fedora Signed Packages

Having installed Fedora s GPG keys, you can now verify official Fedora packages as being authentic . As an example, let s verify the Lynx package that you looked at earlier:

   # rpm -K lynx-2.8.5-15.i386.rpm   lynx-2.8.5-15.i386.rpm: (sha1) dsa sha1  md5 gpg OK

If all goes well, you will see an MD5 gpg OK message. This proves that the signature of the package has been verified and that it has not been corrupted or altered .

Installing Packages

RPM provides other advantages over the RPM Package Management Tool because it can install packages from any source, including Red Hat distribution CDs, network locations, FTP, and HTTP.

The syntax for installing a package looks like this:

   rpm i [options] <package_filename>

Try It Out Installing Packages Using RPM

First, let s install the Lynx Web browser that we ve just verified is okay. You should already be logged in with root privileges, with the terminal window open and still in the Red Hat/RPMS directory of your mounted CD-ROM. From there, type in the following at the command line:
```
   # rpm -ivh lynx-2.8.5-15.i386.rpm   
```
The output you get depends on whether the Lynx browser is already installed. If it s not, you ll see the following:
```
 Preparing...              ########################################### [100%]    1:lynx                 ########################################### [100%] 
```
But, if it s already on your machine, RPM won t attempt to install it again. Instead, you get the following message:
```
 Preparing...              ########################################### [100%]         package lynx-2.8.5-15 is already installed 
```
Now, let s perform another installation to serve as an example; let s install a package that has dependencies. The balsa package is a GNOME e-mail client. If you try to install this using the same technique as before, you get a failed dependencies error message. Try it if you like:
```
   # rpm -ivh balsa-2.0.17-1.i386.rpm   error: Failed dependencies:         libesmtp >= 0.8.11 is needed by balsa-2.0.17-1         libesmtp.so.5 is needed by balsa-2.0.17-1         libltdl.so.3 is needed by balsa-2.0.17-1 
```
As you can see from the output, RPM fails to install the package. Instead, it shows an error message indicating that the package balsa-2.0.17-1.i386.rpm has a dependency that is not met ”namely, the packages libesmtp.so.5 and libltdl.so.3 are not installed. RPM provides the filename of the dependency but does not provide the package name to resolve it. This isn t very helpful, but Fedora provides an extra package that can be installed to get sug- gestions about package filenames to resolve dependencies.

The package in question is currently called rpmdb-fedora-1.92-0.20040421.i386.rpm , but the name may differ slightly in your version (look on your CD-ROM for a filename beginning rpmdb- and that ll be it). Simply install it as you installed the previous packages:
```
   #rpm -ivh rpmdb-fedora-1.92-0.20040421.i386.rpm     Preparing...           ########################################### [100%]     1:rpmdb-fedora        ########################################### [100%]   
```

Now if you try to install the balsa package again, you get a message suggesting the location of the dependent file:

   # rpm -ivh balsa-2.0.17-1.i386.rpm   error: Failed dependencies:         libesmtp >= 0.8.11 is needed by balsa-2.0.17-1         libesmtp.so.5 is needed by balsa-2.0.17-1         libltdl.so.3 is needed by balsa-2.0.17-1     Suggested resolutions:         libesmtp-1.0.2-2.1.i386.rpm         libtool-libs-1.5.6-1.i386.rpm

So, try again. This time, install the suggested packages libesmtp-1.0.2-1.i386.rpm and libtool-libs-1.5-8.i386.rpm first:

   # rpm -ivh libesmtp-1.0.2-2.1.i386.rpm   Preparing...              ########################################### [100%]    1:libesmtp             ########################################### [100%]   # rpm -ivh libtool-libs-1.5.6-1.i386.rpm   Preparing...                ######################################### [100%]    1:libtool-libs           ######################################### [100%]

When that s complete, you can install the balsa package as follows:

   # rpm -ivh balsa-2.0.17-1.i386.rpm   Preparing...              ########################################### [100%]    1:balsa                ########################################### [100%]

Alternatively, you could have installed them together on the same line, like this:

   # rpm -ivh balsa-2.0.17-1.i386.rpm libesmtp-1.0.2-2.1.i386.rpm   Preparing...           ########################################### [100%]   1:libesmtp          ########################################### [ 50%]     2:balsa                ########################################### [100%]

Finally, it s worth mentioning that RPM packages can be installed directly from the Internet. You can use HTTP or FTP addresses to install directly. For example, if you wanted to install the vnc-server directly from the Fedora Web site, you d type the following:
```
   # rpm -ivh http://download.fedora.redhat.com/pub/fedora/linux/core/test/1.92/i386/os/Fedora/RPMS/vnc-4.0-1.beta4.11.i386.rpm   
```

How it works

We ve used the RPM command for installation, much as we did for querying earlier; this time, however, the options are slightly different. Each of the three install commands used the option -ivh here, which translates as follows:

i indicates that you intend to perform an installation.
v indicates that you want RPM to display additional information, for example, to display package filenames while performing multiple package installations with one rpm command.
h indicates that you want RPM to print hash (#) marks during the installation process to show the progress of the installation.

Removing Packages

Removing unwanted packages from your system is very important to save the disk space as well as reduce the system administration work such as maintaining patches, and so on. RPM makes pack- age removal easy. It keeps a record of all the files installed by each package so you can easily clean your system by removing all the files associated with an unwanted package.

Try It Out Removing Packages Using the RPM

You probably don t actually need the vnc-server, lynx, and balsa packages on your system. So, here s how you go about removing them:

First, type the following to remove the vnc-server package:
```
   # rpm -e vnc-server   
```
Now do it again for Lynx:
```
   # rpm -e lynx   
```
Now, how about balsa? You ve got dependencies here, so you need to progress carefully . If you try to remove libesmtp-1.0.2-2.1.i386.rpm before you remove balsa-2.0.17-1.i386.rpm, you ll get an error:
```
   # rpm -e libesmtp   error: Failed dependencies:         libesmtp.so.5 is needed by (installed) balsa-2.0.17-1         libesmtp >= 0.8.11 is needed by (installed) balsa-2.0.17-1 
```
As you learned in the previous example, balsa-2.0.17-1 is dependent on libesmtp.so.5 . So, if RPM were to remove libesmtp.so.5 , balsa-2.0.17-1 wouldn t work anymore. So RPM protects you from this: Any attempt to remove the libesmtp package throws an error.

You can, however, force RPM to remove libesmtp , even with balsa still installed. To do this, specify the “nodeps option in the RPM command:
```
   # rpm --nodeps -e libesmtp     # rpm -e balsa   
```
And it will remove the packages regardless. Let s look at the logic behind how this works.

How it works

We used the rpm command to remove installed packages; this time we used the -e option to indicate that we re using RPM to remove a package.

Note	Note that we didn t specify the full package filenames ( vnc-server-4.0-1.beta4.11.i386.rpm and lynx-2.8.5-15.i386.rpm ) in the preceding commands; instead, we used the names of the packages themselves (vnc-server and lynx): # rpm -e vnc-server # rpm -e lynx

We also used the “nodeps option to remove the libesmtp package. We don t recommend that you use this option for the installation or removal of packages, because the newly installed package will not work without having all of its dependent files installed. However, it s worth knowing about it in case you re confronted with a broken or corrupted package that you need to remove from your machine.

Upgrading Packages

Upgrading a package is similar to installing one. The only difference is in the processing that goes on in the background. When it upgrades a package, RPM uninstalls the old package and then installs a new one. It copies the new configuration file with a .rpmnew extension without touching the existing configuration file, if the existing configuration file has been changed since it was first created (that is to say if you, the user, has changed it from its defaults).

The syntax for a package upgrade using RPM is as follows:

   rpm U [options] <package_filename>

Let s go through the steps of upgrading the fetchmail remote mail retrieval and forwarding utility.

To upgrade the fetchmail package with the latest version ( assuming that you ve queried it and are satisfied that it is what it claims to be), execute the following command on the command line:

 # rpm -Uvh fetchmail-6.2.5-1.i386.rpm Preparing...             ########################################### [100%]    1:fetchmail           ########################################### [100%] Latest version of the Fedora packages can be downloaded from  http://fedora.redhat.com website.

Verifying Package Integrity

RPM provides one more useful piece of functionality ”it allows you to compare information about your installed files with the same information from the original package. This helps when you need to check a file for changes, deletions, or data corruption.

You can verify a package in the following ways:

To verify a particular file contained in a package, type the following:
```
   # rpm -Vf /usr/bin/vncviewer   
```
Note
If the package owning the file has not been changed, corrupted, or deleted, you will not see any message.
To verify an installed package against the RPM file, type the following:
```
   # rpm -Vp vnc-4.0-1.beta4.11.i386.rpm   
```
Note
Again, if everything is okay, you will not see any message.

If you try to verify a package that is not installed on the system, you will see a message such as the following:

   # rpm -Vp lynx-2.8.5-15.i386.rpm   missing  c /etc/lynx.cfg missing  c /etc/lynx.cfg.cs ... missing    /usr/share/locale/sv/LC_MESSAGES/lynx.mo missing  d /usr/share/man/man1/lynx.1.gz

To verify all installed packages on your system, type the following:
```
 # rpm -Va 
```
Note
With this command, you can compare all files installed by packages with the original packages.

Caution
For more details on RPM, see the project s Web page at www.rpm.org/max-rpm/.