CompTIA Linux+ XK0-006 (V8) Practice Question

The correct command to verify the digital signature of a downloaded RPM package file is rpm -K or rpm --checksig. This command checks the GPG signature embedded within the package file against the public keys stored in the RPM database. If the signature is valid and the corresponding public key is trusted, it confirms the package's authenticity and integrity.

The rpm -V command is incorrect because it is used to verify the files of an already installed package against the database metadata, checking for changes in file size, permissions, and checksums, but it does not check the signature of a downloaded .rpm file. The sha256sum command is incorrect because it only calculates a cryptographic hash (checksum) of the file. While this can verify file integrity if compared to a trusted hash value, it does not verify the authenticity provided by a digital signature. The gpg --verify command is also incorrect in this context because, while GPG is the underlying technology, rpm is the tool used to interact directly with the signature embedded in the RPM package format. gpg --verify would be used on a separate signature file (e.g., .asc), not the .rpm file itself.