Frequently Asked Question

How does the package manager know a package is genuine? What is GPG signing?

Every mainstream Linux distribution signs its repository indices, and most sign the individual packages too, using GnuPG (an open implementation of the OpenPGP standard). The distribution maintains a private signing key offline; the matching public key is shipped with the operating system. When apt update fetches InRelease from a Debian mirror, or dnf fetches repomd.xml from Fedora, the package manager checks the file's signature against the trusted keys in /etc/apt/trusted.gpg.d/ (Debian) or /etc/pki/rpm-gpg/ (Red Hat) and refuses to proceed if the signature fails.

This is what stops an attacker who controls a mirror, or your network, from feeding you a malicious package. The original apt-key system trusted any signature in a single flat keyring, which turned out to be a security hole; modern Debian and Ubuntu use per-repository keys placed in /etc/apt/keyrings/ and referenced from the matching .list or .sources file with signed-by=. On RPM systems, rpm --checksig and dnf enforce the same property at install time.