RPM Package Manager 6.0 released with support for multiple OpenPGP signatures per package

RPM 6.0 has been released, introducing substantial improvements for package management and software distribution workflows. This release brings support for both RPM v4 and v6 package formats, enabling smoother transitions and compatibility with evolving ecosystems.

On the security front, RPM 6.0 now supports multiple OpenPGP signatures per package. Building on this, it enables new cryptographic standards by supporting OpenPGP v6 as well as post-quantum cryptography keys and signatures. These updates future-proof the package manager for changing security requirements. Key management is also expanded: administrators can now update previously imported keys, and RPM defaults to enforcing signature checking. To reduce ambiguity and improve security, the system now uses the full key ID or fingerprint to identify OpenPGP keys everywhere.

While compatibility with older formats like RPM v4 is expanded, support for installing RPM v3 packages has been removed. This shift encourages a focus on modernized and more secure distribution practices. Following the technical enhancements, the update also delivers an overhaul of man pages and other documentation, making guidance clearer. Pristine and verifiable release tarballs are now available, improving the supply chain security for users.