How reliable is rpm –verify when auditing package integrity and what alternatives are there?

Currently to verify package integrity, the command rpm --verify is run. In reading the rpm manual (http://ftp.rpm.org/max-rpm/s1-rpm-verify-output.html), there is no indication as to the veracity of the verification process.

It is my understanding solutions such as AIDE and Tripwire expect a known good state and are unable to attest integrity when packages have been updated and/or upgraded.

  • What alternatives are there to assure the integrity of packages post installation as well as subsequent updates and upgrades?
  • How can corruptions by omission or commission be detected and identified?
  • What options are there if a known good state is unknown?