Using Signature Checking in Yum With any sort of a centralized updating system it is important to ensure that the packages one is downloading have not been tampered with. The RPM packaging system takes care of that by allowing electronic signatures on every package. Due to the nature of PGP/GPG, it is impossible (or, rather, improbably difficult) to forge that signature without having a what is called "private key", which only the administrators of Linux@DUKE have access to. Once the gpg-checking mechanism is enabled, any package that does not verify against the "public key" you have stored on your computer will not be installed and a warning will be issued to notify you of the problem. Enabling gpg-checking in yum Yum is the automated updater that is installed on your Linux@DUKE machine. Every night it checks against the Linux@DUKE rpm repository and downloads any new package updates so your system is fully patched against any vulnerabilities that are discovered as time goes on. Importing public keys Before you can enable gpg-checking, you will need to obtain the public part of the gpg keys that were used to sign the packages provided with Centos-3.3. Here is the procedure: For architecture: i386 {{{ su - root rpm --import http://install.linux.duke.edu/pub/linux/base/centos-3.3/i386/RPM-GPG-KEY-CentOS-3 rpm --import http://install.linux.duke.edu/pub/linux/base/centos-3.3/i386/Linux-at-DUKE-GPG-KEY}}} For architecture: x86_64 {{{ su - root rpm --import http://install.linux.duke.edu/pub/linux/base/centos-3.3/x86_64/RPM-GPG-KEY-CentOS-3 rpm --import http://install.linux.duke.edu/pub/linux/base/centos-3.3/x86_64/Linux-at-DUKE-GPG-KEY}}} Verifying fingerprints If you want to be extra sure, email Linux@DUKE administrators to get the public keys first-hand: admin.[at].linux.duke.edu Editing yum.conf Open /etc/yum.conf in your favorite editor and edit all occurances of "gpgcheck=0" to "gpgcheck=1".