How reliable is rpm –verify when auditing package integrity and what alternatives are there?

Currently to verify package integrity, the command rpm --verify is run. In reading the rpm manual (, there is no indication as to the veracity of the verification process.

It is my understanding solutions such as AIDE and Tripwire expect a known good state and are unable to attest integrity when packages have been updated and/or upgraded.

  • What alternatives are there to assure the integrity of packages post installation as well as subsequent updates and upgrades?
  • How can corruptions by omission or commission be detected and identified?
  • What options are there if a known good state is unknown?