RPM, one of the oldest and most widely used package management systems in Linux, the backbone of distributions like RHEL, Fedora, openSUSE, and others, has announced the release of RPM 6.0, marking the first major jump in versioning since the 4.x series.
The most striking new feature is the new RPM v6 package format, which moves all size limits to 64-bit, drops obsolete crypto algorithms like MD5 and SHA-1, and adds SHA-512 and SHA3-256 for payloads.
Package headers also gain SHA3-256 digests, while per-file MIME information is now embedded directly into the metadata. Compatibility is broad: v6 packages can be queried with RPM 4.6 and later, unpacked with 4.12, and verified or installed with 4.14 and newer.
Security has been tightened across the board. RPM now enforces signature checking by default, supports OpenPGP v6 and even post-quantum cryptography (PQC) keys, and allows multiple signatures per package.
Tools like rpmkeys and rpmsign have been extended to handle these changes, including fingerprint-based key management, auto-signing via macros, and the ability to add or replace signatures without breaking existing ones.
On the packaging side, rpmbuild can generate both v4 and v6 packages, with v6 as the default. A new rpm-setup-autosign utility has been added to simplify auto-signing configuration. Several long-standing issues in build scripts, dependency handling, and macro processing have also been resolved.
Documentation has seen a major overhaul, too. Man pages have been rewritten in a consistent style, new pages have been added for components that were previously undocumented, and a versioned documentation site now hosts reference manuals, API docs, and updated examples.
Under the hood, RPM is now built with a C++20 compiler, moving much of its internals to modern data structures while continuing to ship Python bindings (which now require Python 3.10 or newer). The project also emphasizes reproducibility with pristine, verifiable release tarballs.
While RPM 6.0 defaults to the new format, it maintains full support for v4 packages, ensuring compatibility with existing ecosystems. The removal of v3 installation support closes the door on older packages, though they can still be queried or unpacked with tools like rpm2cpio.
For more information, see the release notes.
