Package Management using YUM and RPM

List of Topics

1) What is YUM
2) List of configuration files
3) What is GPG key

4) Other rpm commands

1) What is YUM

YUM is the short form of Yellowdog Update Modifier. 
If you want to verify that a package has not been corrupted or tampered with, examine only the md5sum by typing the following command at a shell prompt (where <rpm_file> is the file 

2) List of configuration files

Yum Configurationf file – /etc/yum.conf
Repo file configuration path – /etc/yum.repos.d/

A Simple syntax of .repo file.

1) [name - unique value]

2) name=""

3) baseurl=""

4) enabled=""

5) gpgcheck=""

6) gpgkey=""

A small info about gpg key (Gnu Privacy Guard) 

If you want to verify that a package has not been corrupted or tampered with, examine only the md5sum by typing the following command at a shell prompt (where <rpm_file> is the file name of the RPM package):

rpm -K --nosignature <rpm_file>

The message <rpm_file>: rsa sha1 (md5) pgp md5 OK (specifically the OK part of it) is displayed. This brief message means that the file was not corrupted during download. To see a more verbose message, replace -K with -Kvv in the command.

On the other hand, how trustworthy is the developer who created the package? If the package is signed with the developer's GnuPG key, you know that the developer really is who they say they are.

An RPM package can be signed using GNU Privacy Guard (or GnuPG), to help you make certain your downloaded package is trustworthy.

GnuPG is a tool for secure communication; it is a complete and free replacement for the encryption technology of PGP, an electronic privacy program. With GnuPG, you can authenticate the validity of documents and encrypt/decrypt data to and from other recipients. GnuPG is capable of decrypting and verifying PGP 5.x files as well.

During installation, GnuPG is installed by default. That way you can immediately start using GnuPG to verify any packages that you receive from Red Hat. Before doing so, you must first import Red Hat's public key.

3.1. Importing Keys

#rpm --import /usr/share/rhn/RPM-GPG-KEY

To display a list of all keys installed for RPM verification, execute the command:

#rpm -qa gpg-pubkey*

For the Red Hat key, the output includes:

#gpg-pubkey-db42a60e-37ea5438

To display details about a specific key, use rpm -qi followed by the output from the previous command:

#rpm -qi gpg-pubkey-db42a60e-37ea5438

a) In Case of File Conflicts to replace the files

rpm -ivh --replacefiles jpackage-utils-1.7.5-3.16.el6.noarch.rpm

b)  Download a package without installing it

To download a package without installing it, we need yumdownloader command which is part of yum-utils. So, Install the yum-utils package:

# yum install yum-utils

Then run the following command with argument as the desired package to download

# yumdownloader <package>

c) how  to install obsolete pacakages

Sometimes, we may need to install obsolete package due to application dependency. For that we need to use below option.

#yum --setopt=obsoletes=0 install openoffice*

d) List the configuration files

To list the configuration installed by a package

# rpm -qc <package name>

/etc/httpd/conf.d/autoindex.conf

/etc/httpd/conf.d/userdir.conf

/etc/httpd/conf.d/welcome.conf

/etc/httpd/conf.modules.d/00-base.conf

/etc/httpd/conf/httpd.conf

/etc/sysconfig/httpd

e) List the associated document and License as:

Similar to the option "c", option d is used to list the documents installed by the respective package.

# rpm -qd <package name>

# rpm -qd httpd

/usr/share/doc/httpd/ABOUT_APACHE

/usr/share/doc/httpd/CHANGES

/usr/share/doc/httpd/LICENSE 

# rpm -qL <package name>
# rpm -qL openssh