Managing RPM Packages

Verifying rpm Package Integrity

When you add repositories to your yum facility, in the cases of rpm.livna.com, atrpms, and others that offer a release RPM (such as livna-release), yum is automatically configured to use a valid GPG/DSA key and point to a valid online repository. When you ask to install a package from one of those repositories using yum, the GPG/DSA key is used to validate each package before it is installed. On the other hand, if you are simply installing a local RPM package, you need to do some manual work to verify its contents.

To check all digests and signatures included in an RPM (to make sure it is original and not corrupted), you can use the --checksig option to RPM. For example, say I have a copy of the dvgrab RPM (which is part of Fedora Core) in my local directory and I wanted to check it. I could run the following command:

 #  rpm --checksig dvgrab-2.0-1.2.2.i386.rpm  dvgrab-2.0-1.2.2.i386.rpm: (sha1) dsa sha1 md5 gpg OK 

The output above shows that the GPG/DSA key was found and used to check that the packages digital signatures (dsa, sha1, and md5) were correct. If, however, you got a package for which you didn't have the GPG/DSA key installed, you would need to get and import that key before you could verify the package.

If you trust the Internet site where you are getting the RPM you want to install, look for an indication that the site has signed its packages. Then download the GPG public key and import it. That will allow you to check the validity of the packages from that site. For example, I decided I wanted to use the KDE-redhat ( http://apt.kde-redhat.org ) project to replace all my KDE packages from Fedora Core. I downloaded the kaffeine package and tried to verify it as follows :

 #  rpm --checksig kaffeine-0.8.1-5.fc6.i386.rpm  kaffeine-0.8.1–5.fc6.i386.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#ff6382fa) 

Because the GPG public key was not installed, the contents couldn't be verified as correct. So, I went to the KDE-redhat project site and downloaded the GPG public key to the current directory. Then I imported the key as follows:

 #  rpm --import gpg-pubkey-ff6382fa-3e1ab2ca  

With the GPG public key imported, the second check of the RPM showed that it was clean:

 #  rpm --checksig kaffeine-0.8.1-5.fc6.i386.rpm  kaffeine-0.8.1-5.fc6.i386.rpm: (sha1) dsa sha1 md5 gpg OK 

You can see all your installed GPG keys by typing rpm -qa grep gpg-pubkey from the command line. You can see which repository the key is associated with using the rpm -qi option (for example, rpm -qi gpg-pubkey-1ac70ce6-41bebeef less )

Remember, however, that it is best to get packages automatically from known repositories with yum (or related tools). Besides checking the signatures of packages, yum will also make sure all dependencies are cleared up.

Installing with rpm

To install an RPM archive file that is not yet installed on your system with the rpm command, most people generally use the same options they would if they were upgrading (the -U option). Here's an example of a command line you could use to install a new RPM package:

 #  rpm -U [  options  ]  package   

Package is the name of the RPM archive file. This package may be in the current directory, on a DVD or CD (for example, /media/cdrecorder/Fedora/RPMS/ x .rpm ), or on an accessible FTP site (for example, ftp://ftp.example.com/pub/whatever.i386.rpm ).

 #  rm -f /var/lib/rpm/__db*  #  rpm --rebuilddb  

Along with the -U option, you can use the following options to get feedback during a new installation:

• -v - Prints debugging information during installation. This is a good way to see everything that happens during the install process. (This output can be long, so you may want to pipe it to the less command.) You can get more information by adding multiple -v options (for example, -vv ).

• -h - Prints 50 hash marks ( # ) as the package unpacks. The intent is to see the progress of the unpacking process (so you can tell if the program is still working or stalled).

• -percent - Prints the percentage of the total package that has been installed throughout the install process.

Before installing a package, rpm checks to make sure that it is not overwriting newer files or installing a package that has dependencies on other packages that are not installed. The following install options can be used to override conditions that may otherwise cause the installation to fail:

• --force - Forces the contents of the current package to be installed, even if the current package is older than the one already installed, contains files placed there by other packages, or is already installed. (This is the same as using the oldpackage , replacefiles , and replacepkgs options.) Although it is dangerous to do so, people often use this option to override any issue that might cause the package install to fail (such as an older RPM).

• --oldpackage - Forces the package to be installed, even if the current package is older than the one already installed.

• --replacefiles - Forces files in this package to be installed, even if the files were placed there by other packages.

• --replacepkgs - Forces packages in this archive to be installed, even if they are already installed on the system.

• --nodeps - Skips package dependency checks and installs the package, even if packages it depends on are not installed. This option should be used with extreme caution! By not resolving dependencies properly, you can end up with broken software.

• --ignorearch - Forces package to be installed, even if the binaries in the package don't match the architecture of your host computer.

• --excludedocs - Excludes any man pages, texinfo documents, or other files marked as documentation.

• --ignoreos - Forces package to be installed, even if the binaries in the package don't match the architecture of your operating system.

The following is a simple rpm command line used to install an RPM archive:

 #  rpm -U RealPlayer-8.0-1.i386.rpm  

I like to see some feedback when I install something (by default, rpm is suspiciously quiet when it succeeds). Here is what the command looks like when I add the -vv option to get more verbose feedback, along with some of the output:

 #  rpm -Uvv RealPlayer-8.0-1.i386.rpm  D: ============== RealPlayer-8.0-1.i386.rpm D: Expected size: 4978643 = lead(96)+sigs(100)+pad(4)+data(4978443) D: Actual size : 4978611 D: RealPlayer-8.0-1.i386.rpm: MD5 digest: OK (f8080e7c3c32eacc6912a5afb364479a) D: added binary package [0] D: found 0 source and 1 binary packages D: opening db environment /var/lib/rpm/Packages joinenv . . D: installing binary packages D: opening db environment /var/lib/rpm/Packages joinenv D: opening db index /var/lib/rpm/Packages create mode=0x42 . . . D: closed db index /var/lib/rpm/Basenames D: closed db index /var/lib/rpm/Name D: closed db index /var/lib/rpm/Packages D: closed db environment /var/lib/rpm/Packages 

From this output, you can see that rpm finds one binary package in this archive, verifies the checksum, opens the RPM database, installs the packages, and closes the database when done. Another way to verify that the install is actually working is to add the -h option, as follows:

 #  rpm -Uvh RealPlayer-8.0-1.i386.rpm  RealPlayer ################################################## 

With the -h option, rpm chugs out 50 hash marks (#) until the package is done installing. As you can see, when everything goes well, installing with rpm is quite simple. Some problems can occur, however. Here are a couple of them:

• Package dependencies errors - If the package you are installing requires an additional package for it to work properly, you will see an error noting the missing package. You should get and install that package before trying your package again. (You can override the failure with install options described above, but I don't recommend that because your package may not work without the dependent package.)

• Nonroot user errors - If rpm -U is run by someone who is not the root user, the command will fail. The output will indicate that the /var/lib/rpm database could not be opened. Log in as root user and try again.

Upgrading Packages with rpm

The upgrade option ( -U ) with rpm can, as you might expect, also be used to upgrade existing packages. The format is the same as described above:

 #  rpm -U [  options  ]  package   

One issue when upgrading is installing an older version of a package. For example, if you install a new version of some software and it doesn't work as well, you will want to go back to the old version. To do this, you can use the --oldpackage option as follows:

 #  rpm -U --oldpackage AnotherLevel-0.7.4-1.noarch.rpm  

If a later package of this name already exists, it is removed and the older version is installed.

Freshening Packages with rpm

An option that is similar to the upgrade ( -U ) option is the freshen ( -F ) option. The main difference between the two is what happens if the RPM you are updating or freshening is not already installed on your Fedora system. The -U can do either a fresh install or an upgrade.

The -F will only do an upgrade (so if the package is not already installed, rpm -F will do nothing).

A great use for freshen is when you have a directory full of updated RPM files that you want to install on your system. But, you only want to update those packages that are already installed. In other words, there may be a lot of RPMs in the directory you don't want. Freshen lets you just update the packages you already have.

Let's say that you downloaded a directory of RPMs and you want to selectively freshen the ones you have installed. With the directory of RPMs as your current directory, you could type:

 #  rpm -Fhv *.rpm  

Packages already installed are updated with the new RPMs. All other RPMs are skipped .

Removing Packages with rpm

If you no longer want to use a package (or you just want to recover some disk space), use the -e option to remove a package. In its simplest form, you use rpm with the -e option as follows:

 #  rpm -e  package   

If there are no dependencies on this package, it is silently removed. Before you remove a package, however, you may want to do a quick check for dependencies. The -q option is used for a variety of query options. (Checking for dependencies isn't necessary because rpm checks for dependencies before it removes a package. You may want to do this for your own information, however.) To check for dependencies, do the following:

 #  rpm -q --whatrequires  package   

If you decide to remove the package, I recommend using the -vv option with rpm -e . This lets you see the actual files that are being removed. I also suggest that you either direct the output to a file or pipe it to the less command because the output often runs off the screen. For example:

 #  rpm -evv jpilot  less  

This example removes the jpilot package and shows you the files that are being removed one page at a time. (Press the Spacebar to page through the output.)

Other options that you can run with rpm -e can be used to override conditions that would prevent the package from being removed or to prevent some processing (such as not running preuninstall and postuninstall scripts). Three of those options are as follows:

• --nodeps - Uninstall the package without checking for dependencies

• --noscripts - Uninstall the package without running any preuninstall or postuninstall scripts

• --notriggers - Uninstall the package without executing scripts that are triggered by removing the package

If you feel nervous about boldly removing a package, you can always run the uninstall in test mode ( --test ) before you do the real uninstall. Test mode shows you everything that would happen in the uninstall without actually uninstalling. (Add the --vv option to see the details.) Here's an example:

 #  rpm -evv --test jpilot  less   D: opening db environment /var/lib/rpm/Packages joinenv   D: opening db index /var/lib/rpm/Packages rdonly mode=0x0   D: locked db index /var/lib/rpm/Packages   D: opening db index /var/lib/rpm/Name rdonly mode=0x0   D: opening db index /var/lib/rpm/Pubkeys rdonly mode=0x0   .   .   .   D: closed db index /var/lib/rpm/Name   D: closed db index /var/lib/rpm/Packages   D: closed db environment /var/lib/rpm/Packages  

If the results look fine, you can run the command again, without the --test option, to have the package removed.

Querying Packages with rpm

You can use the query options ( -q ) of rpm to get information about RPM packages. This can be simply listing the packages that are installed or printing detailed information about a package. Here is the basic format of an rpm query command (at least one option is required):

 #  rpm -q [  options  ]  

The following list shows some useful options you can use with an rpm query:

• -qa - Lists all installed packages.

• -qf file - Lists the package that owns file . (The file must include the full path name or rpm assumes the current directory.)

• - qi package - Lists lots of information about a package.

• -qR package - Lists components (such as libraries and commands) that package depends on.

• -ql package - Lists all the files contained in package .

• -qd package - Lists all documentation files that come in package .

• -qc package - Lists all configuration files that come in package .

• -qp [option] package - Query packages that are not yet installed. Using this option, along with other query options, allows you to query packages you have that are not yet installed.

To list all the packages installed on your computer, use the -a query option. Because this is a long list, you should either pipe the output to less or, possibly, use grep to find the package you want. The following command line displays a list of all installed RPM packages, and then shows only those names that include the string of characters xfree . (The -i option to grep says to ignore case.)

 #  rpm -qa grep -i xorg  

If you are interested in details about a particular package, you can use the rpm -i query option. In the following example, information about the dosfstools package (for working with DOS file systems in Linux) is displayed:

 #  rpm -qi dosfstools  Name : dosfstools Relocations: (not relocateable) Version : 2.11 Vendor: Red Hat, Inc. Release : 6.1.fc6 Build Date: Wed 12 Jul 2006 02:56:22 AM CST Install Date: Fri 22 Sep 2006 12:44:53 PM CDT Build Host : hs20-bc2-4.build.redhat.com Group : Applications/System Source RPM:dosfstools-2.11- 6.1.fc6.src.rpm Size : 74865 License: GPL Signature : DSA/SHA1, Thu 24 Aug 2006 09:28:51 PM CDT, Key ID fd372689897da07a Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Summary : Utilities for making and checking MS-DOS FAT filesystems on Linux. Description : The dosfstools package includes the mkdosfs and dosfsck utilities, which respectively make and check MS-DOS FAT filesystems on hard drives or on floppies. 

To find out about a package's contents, you can use the -l (list) option with your query. The following example shows the complete path names of files contained in the dosfstools package:

 #  rpm -ql dosfstools  less  /sbin/dosfsck /sbin/fsck.msdos /sbin/fsck.vfat /sbin/mkdosfs /sbin/mkfs.msdos /sbin/mkfs.vfat /usr/share/man/man8/dosfsck.8.gz . . . 

Would you like to know how to use the components in a package? Using the -d option with a query will display the documentation ( man pages, README files, HOWTOs, and so on) that is included with the package. If you are having trouble getting your X Window System running properly, you can use the following command line to find documents that may help:

 #  rpm -qd xorg-x11  less  /usr/X11R6/man/man1/Xmark.1x.gz /usr/X11R6/man/man1/Xorg.1x.gz /usr/X11R6/man/man1/Xserver.1x.gz /usr/X11R6/man/man1/appres.1x.gz /usr/X11R6/man/man1/atobm.1x.gz /usr/X11R6/man/man1/bitmap.1x.gz /usr/X11R6/man/man1/bmtoa.1x.gz . . . 

Many packages have configuration files associated with them. To see what configuration files are associated with a particular package, use the -c option with a query. For example, this is what you would type to find configuration files that are used with the ppp package:

 #  rpm -qc ppp  /etc/logrotate.d/ppp /etc/pam.d/ppp /etc/ppp/chap-secrets /etc/ppp/options /etc/ppp/pap-secrets 

If you ever want to know which package a particular command or configuration file came from, you can use the -qf option. In the following example, the -qf option displays the fact that the chgrp command comes from the fileutils package:

 #  rpm -qf /bin/chgrp  coreutils-5.97-11 

Before you install a package, you can do the same queries on it that you would do on an installed package. This can be a great tool for finding information from a package while it is in your current directory, or even in a software repository. Here is an example of using the -qp option with -i to see the description of a package in a software repository:

 #  rpm -qp -i \   http://ayo.freshrpms.net/fedora/linux/1/i386/freshrpms/RPMS/ blackbox -0.65.0-\   8.1.fc1.fr.i386.rpm   Name : blackbox Relocations: (not relocatable)   Version : 0.65.0 Vendor: Freshrpms.net   Release : 8.1.fc1.fr Build Date: Thu 25 Mar 2004 12:45:45 PM PST   Install Date: (not installed) Build Host: python2.freshrpms.net   .   .   .   Blackbox is a window manager for the X Window environment, which is...  

In the previous example, the long command line shown on three lines should actually be typed on one line. If you are concerned about the content or legality of downloading a package, this example is a way to read the description of a package before you even download it.

In the following example, the command lists the files contained in a package that is in the current directory:

 #  rpm -qp -l RealPlayer-8.0-1.i386.rpm  

Again, this is an excellent way to find out what is in a package before you install it.

Verifying Installed Packages with rpm

If something in a software package isn't working properly, or if you suspect that your system has been tampered with, the verify ( -V ) option of rpm can help you verify installed software against its original software package. Information about each installed package is stored on your computer in the RPM database. By using the verify option, you can check whether any changes were made to the components in the package.

Various file size and permissions tests are done during a verify operation. If everything is fine, there is no output. Any components that have changed from when they were installed will be printed along with information indicating how they were changed. Here's an example:

 #  rpm -V ppp  S.5....T. c /etc/ppp/chap-secrets S.5....T. c /etc/ppp/options S.5....T. c /etc/ppp/pap-secrets 

This output shows that the ppp package (used to dial up a TCP/IP network such as the Internet) has had three files changed since it was installed. The notation at the beginning shows that the file size ( S ), the MD5 sum ( 5 ), and the modification time ( T ) have all changed. The letter c shows that these are all configuration files. By reviewing these files to see that the changes were only those that I made to get PPP working, I can verify that the software is okay.

The indicators that you may see when you verify the contents of a configuration file are:

• 5 - MD5 Sum - An MD5 checksum indicates a change to the file contents.

• S - File size - The number of characters in the file has changed.

• L - Symlink - The file has become a symbolic link to another file.

• T - Mtime - The modification time of the file has changed.

• D - Device - The file has become a device special file.

• U - User - The user name that owns the file has changed.

• G - Group - The group assigned to the file has changed.

• M - Mode - If the ownership or permission of the file changed.