NOT RELEASED -- work in process
RPM-4.1 , as shipped, strictly will refuse to install a GPG signed package, unless it is instructed by an option to 'over-ride' that protection:

FIX-ME

... or unless the appropiate GPG key is located, checked, and imported to RPM's keyring. This is part of the RFC 2440 protection, authentication, verification and tamper-evidencing system initiated in earnest at RPM-4.1 .

$ locate RPM-GPG-KEY /usr/share/doc/rpm-4.0.4/RPM-GPG-KEY /usr/share/doc/redhat-release-7.3/RPM-GPG-KEY $ diff /usr/share/doc/rpm-4.0.4/RPM-GPG-KEY /usr/share/doc/redhat-release-7.3/RPM-GPG-KEY 2c2 < signed by Red Hat Software using `rpm -K ' using the GNU GPG package. --- > signed by Red Hat, Inc. using `rpm -K ' using the GNU GPG package. $ $ sudo rpm --import /usr/share/doc/redhat-release-7.2/RPM-GPG-KEY (authorized sudo 'sudoer' password requried) $
The concept of a 'web of trust' of mutually signed, self-published keys is not new, and the MORE -- PGP, keysigning parties, and Debian non-commercial responses -- vs commercial PKI and CRL's requiring periodic public Internet access.

The Red Hat officially burned media contain this in the root directory of CD 1, for several years (there is prior to that the PGP key series which predate GPG keying -- your author, R P Herrold, <herrold@owlriver.com> maintain and sign with an unrevoked PGP key at the public keyservers:
pub 1024R/7BFB98B9 1998-11-25 herrold@owlriver.com
-- we can use this information a bit later).

Sources:

[root@landlocked autorpm]# rpm -Uvh openssl-0.9.6b-28.i386.rpm error: openssl-0.9.6b-28.i386.rpm: V3 DSA signature: BAD, key ID db42a60e error: openssl-0.9.6b-28.i386.rpm cannot be installed [root@landlocked autorpm]# Keyservers come and go in the commercial sector as the winds of commerce may blow. For example, CERTSERVER.PGP.COM is one publicly referenced certificate server, in the documentation accompanying GPG (see, e.g., here http://www.gnupg.org/gph/en/manual.pdf at page 26 local copy). Unfortunately, it is non-responsive as of September 2002, as the corporate owners of PGP are abandoning that market.

From: http://skylane.kjsl.com/~jharris/keyserver.html - (local)
Discontinued keyservers: * 2002-07 - irdu.nus.edu.sg - old software * 2002-07 - ashton.weg.net (was seattle.keyserver.net) (OKS: OpenKeyServer v1.2b2) * 2002-03 - {{keys,keyserver,certserver}.pgp.com,keys.nai.com} (also was pgpkeys.mit.edu) * unknown - {pgp,pgp5}.ai.mit.edu
Academic keyservers are more robust. A nice description of the keyserver process by Marc Horowitz < marc@mit.edu > is at: http://www.mit.edu/afs/net.mit.edu/project/pks/thesis/paper/thesis.html - (local copy)

and in performing a DNS lookup for pgp.mit.edu in September 2002, I find this information:

[herrold@oldnews ]$ dig pgp.mit.edu ; <<>> DiG 9.2.1 <<>> pgp.mit.edu ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38011 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;pgp.mit.edu. IN A ;; ANSWER SECTION: pgp.mit.edu. 19308 IN CNAME CRYPTONOMICON.mit.edu. CRYPTONOMICON.mit.edu. 19308 IN A 18.7.14.139 ;; AUTHORITY SECTION: mit.edu. 21019 IN NS W20NS.mit.edu. mit.edu. 21019 IN NS STRAWB.mit.edu. mit.edu. 21019 IN NS BITSY.mit.edu. ;; ADDITIONAL SECTION: BITSY.mit.edu. 162255 IN A 18.72.0.3 W20NS.mit.edu. 21019 IN A 18.70.0.160 STRAWB.mit.edu. 21019 IN A 18.71.0.151 ;; Query time: 45 msec ;; SERVER: 206.21.174.20#53(206.21.174.20) ;; WHEN: Fri Sep 20 17:44:35 2002 ;; MSG SIZE rcvd: 182 [herrold@oldnews ]$ The keyservers are run by a bunch of suspicious people, who are most 'finicky' about http://web.mit.edu/network/pgp.html http://www.pgpi.org/ [herrold@oldnews ]$ gpg --list-keys gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information /home/herrold/.gnupg/pubring.gpg -------------------------------- pub 1024R/7BFB98B9 1998-11-25 herrold@owlriver.com pub 1024D/B8732E79 1999-03-26 John D. Hardin sub 2048g/0E2A2292 1999-03-26 [herrold@oldnews .gnupg]$ gpg --keyserver pgp.mit.edu --recv-key 7BFB98B9 gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: requesting key 7BFB98B9 from HKP keyserver pgp.mit.edu gpg: key 7BFB98B9: not changed gpg: Total number processed: 1 gpg: unchanged: 1 [herrold@oldnews ]$ gpg --keyserver pgp.mit.edu --recv-key db42a60e gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: requesting key DB42A60E from HKP keyserver pgp.mit.edu gpg: found 0 ownertrust records gpg: migrated 0 version 2 ownertrusts gpg: key DB42A60E: public key imported gpg: Total number processed: 1 gpg: imported: 1 [herrold@oldnews ]$ gpg --list-keys gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information /home/herrold/.gnupg/pubring.gpg -------------------------------- pub 1024R/7BFB98B9 1998-11-25 herrold@owlriver.com pub 1024D/B8732E79 1999-03-26 John D. Hardin sub 2048g/0E2A2292 1999-03-26 pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc sub 2048g/961630A2 1999-09-23 [herrold@oldnews ]$ gpg --fingerprint DB42A60E gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc Key fingerprint = CA20 8686 2BD6 9DFC 65F6 ECC4 2191 80CD DB42 A60E sub 2048g/961630A2 1999-09-23 [herrold@oldnews ]$
This is done as non-root, and on a non-production host of mine, so it does not have a complex keyring -- enough that I can sign files, basically. We saw

I took a snapshot of the Red Hat webpage: http://www.redhat.com/solutions/security/news/publickey.html on September 19, 2002, and it is down this link: snapshot25.png -->