Maximum RPM: Taking the RPM Package Manager to the Limit
In this chapter, we'll explore the steps required to add a digital signature to a package, using the software known as Pretty Good Privacy, or PGP. If you've used PGP before, you probably know everything you'll need to start signing packages in short order.
On the other hand, if you feel you need a bit more information on PGP before starting, please refer to Appendix G for a brief introduction. Once you feel comfortable with PGP, come on back and learn how easy signing packages is…
The reason for signing a package is to provide authentication. With a signed package, it's possible for your user community to verify that the package they have was in your possession at some time and has not been changed since then. That "not changed" part is also a good reason to sign your packages, as digital signatures are a very robust way to guard against any modifications to the package.
Of course, as with anything else in life, adding a digital signature to a package isn't an ironclad guarantee that everything is right with the package, but it's about as sure a thing as humans can make it.