If you work with Red Hat Enterprise Linux (RHEL) or Fedora, you know that RPM is the quiet powerhouse behind installing, updating, and managing software.
Today, RPM just got a major upgrade — version 6.0 is here — and it’s one of the biggest changes in years.
This update isn’t just a version bump. It changes how packages are signed, verified, and managed, making your systems more secure and your workflows smoother. Let’s break it down.
Table of Contents
Before vs. After: The Big Picture
Before:
- RPM had limited signature enforcement and worked mostly with older OpenPGP keys.
- Package signing workflows were a bit clunky.
- Some verification and key management features required manual effort.
After:
- Signature checking is enforced by default, improving security out of the box.
- You can now use multiple OpenPGP signatures per package and work with OpenPGP v6 + post-quantum crypto (PQC) keys.
- Updating imported keys and controlling verification levels per package is much easier.
- New commands and macros simplify automation and signing tasks.
- Legacy support for RPM v3 packages is gone, so everything is modernized.
This isn’t just a minor tweak — it’s a modernization of RPM itself.
Key Highlights of RPM 6.0
The headline feature? Security-first package management.
RPM 6.0 now enforces signature checking by default. This means unsigned or tampered packages are flagged immediately, reducing the chance of installing something you shouldn’t.
You can also add multiple OpenPGP signatures to a single package, which is helpful for teams where multiple maintainers sign off on builds. Plus, support for OpenPGP v6 and PQC keys future-proofs your workflow for the post-quantum era.
Smarter Key and Signature Handling
RPM 6.0 makes key management easier. You can use full key IDs or fingerprints everywhere, making key lookup unambiguous. The rpmkeys(8) and rpmsign(1) tools got several upgrades, and even the man pages have been revamped for clarity.
See also: Mastering the Linux Command Line — Your Complete Free Training Guide
A new rpm-setup-autosign(1) command lets you configure auto-signing quickly — great for CI/CD pipelines.
Querying and Automation Got a Boost
For those who query package data regularly, there’s a new --filemime alias to get per-file MIME information. You also get a new :hashalgo query formatter to display hash algorithm names.
Macros also got some love:
%{span:...}for cleaner multi-line macros.%{xdg:...}for evaluating XDG base directories.
If you manage transactions, you’ll appreciate new functions for managing the permanent keystore and controlling per-package verification levels.
Under-the-Hood Changes
Not everything is visible on the surface. RPM 6.0 drops support for installing RPM v3 packages — a move that simplifies the codebase and focuses on the future.
Other fixes include:
- Properly reporting scriptlet errors in transaction results.
- Fixes for
%triggerpreinand%triggerunso failed triggers actually fail the associated install or erase operation. - Support for Python module isolation.
To build RPM 6.0 from source, you now need a C++20 compiler, rpm-sequoia 1.9.0+, Python 3.10+, and scdoc for man pages. This makes the project more modern and maintainable going forward.
Why This Matters
For sysadmins and developers, this is a security and usability upgrade. Stronger signature checks reduce risk. Better key management saves time. And improved automation hooks make continuous delivery smoother.
How to Get It
RPM 6.0 is available now as a source tarball on GitHub. It will ship as the default package manager in upcoming releases of RHEL and Fedora 43.
