Often when you download and install software from the internet as an RPM package, have you thought about how trust worthy the packge is? Most download sites if they are genuine, list along side their downloads a link to a “trusted key”.
This trusted public key may belong to a vendor or an individual itself and be part of a “web of trust“. By being part of a trusted group we can make sure that any packages signed (GPG signed) by the owner of that key is authentic.
Having said that, here is how you would import a key for your RPM trust database. To import my GPG signed key, you can execute the following shell command as root user:
rpm --import http://www.jefferyfernandez.id.au/jeffery.gpg
Having executed that command now makes the packages signed by me a trusted package, simply because I belong to the “web of trust”. So now you can safely install (if you wish to 
) any packages I have uploaded onto this site.
To verify if a package you have downloded matches the trusted key to the packages signature, execute the following command:
rpm --checksig packagename.rpm
which should give you an “OK” result similar to:
packagename.rpm: (sha1) dsa sha1 md5 gpg OK
And finally to list all the trusted keys in the RPM trust db execute:
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\\n'