Many developers who package RPMs now, including Red Hat, usually attach a digital signature to the RPM in order to preserve the integrity of the package. The most popular method for signing a package is by using the keys provided by Gnu Privacy Guard (GPG). GPG users create a public key and a private key to encrypt and subsequently decrypt the contents of a file or, in the case of an RPM, a signature. The RPM developer signs the package with their private key, using the rpm command. In this way, the signature cannot be separated from the package. The developer then places a copy of their public key on the server which holds the signed package. The user who wishes to install the package then uses the public key to verify the signature as the package is installed after importing the public key into their RPM keyring. Only the public key corresponding to the private key used to sign the package will match the signature.

All of the packages from Red Hat have been signed using a GPG key. The Red Hat public GPG key is installed in your RPM key ring when you register your system with the Red Hat Network.