// RPM/YUM GPG keys: verification, import, deletion, package signature check and additional notes

I'm fairly new to the Red Hat and Fedora Linux eco-system. Therefore I just wanted to teach myself some details about RPM and YUM today, especially how to use the commands to handle package signatures and repository GPG keys.1) I noticed many unanswered forum postings during my research. That's why I decided to write this little blog entry, helping search-engine users to find more answers than questions. :-)

List and verify keys

  • List all GPG keys on the RPM/YUM keyring:
    rpm -q 'gpg-pubkey-*' | sort

    The GPG keys are handled as gpg-pubkey-XXXXXXXX-YYYYYYYY packages. XXXXXXXX is the key ID in lowercase chars without 0x prefix. YYYYYYYY is the key creation time as unix timestamp in hex without 0x prefix.2) Example usage:

    $ rpm -q 'gpg-pubkey-*' | sort
    gpg-pubkey-00a4d52b-4cb9dd70
    gpg-pubkey-069c8460-4d5067bf

    As you can see, my example RPM knows about the GPG keys 0x00A4D52B and 0x069C8460.

  • List all GPG keys on the RPM/YUM keyring with a brief description:
     rpm -q 'gpg-pubkey-*' --qf '%{name}-%{version}-%{release} -> %{summary}\n'

    The GPG keys are handled as gpg-pubkey-XXXXXXXX-YYYYYYYY packages. XXXXXXXX is the key ID in lowercase chars without 0x prefix. YYYYYYYY is the key creation time as unix timestamp in hex without 0x prefix.3) Example usage:

    $ rpm -q 'gpg-pubkey-*' --qf '%{name}-%{version}-%{release} -> %{summary}\n'
    gpg-pubkey-069c8460-4d5067bf -> gpg(Fedora (15) <fedora@fedoraproject.org>)
    gpg-pubkey-00a4d52b-4cb9dd70 -> gpg(RPM Fusion free repository for Fedora (15) <rpmfusion-buildsys@lists.rpmfusion.org>)

    As you can see, my example RPM knows about the GPG keys 0x00A4D52B and 0x069C8460.

  • List all GPG keys on the RPM/YUM keyring with all details:
    rpm -qi 'gpg-pubkey-*'
  • Check the fingerprint of a GPG key on the RPM/YUM keyring:
    rpm -q 'gpg-pubkey-XXXXXXXX-*' --qf '%{description}\n' | gpg --quiet --with-fingerprint

    XXXXXXXX is the key ID in lowercase chars without 0x prefix. Example usage:

    $ rpm -q 'gpg-pubkey-069c8460-*' --qf '%{description}\n' | gpg --quiet --with-fingerprint
    pub  4096R/069C8460 2011-02-07 Fedora (15) <fedora@fedoraproject.org>
          Key fingerprint = 25DB B54B DED7 0987 F4C1  0042 B4EB F579 069C 8460

Import and remove keys

  • Remove / delete a GPG key from the the RPM/YUM keyring:
    rpm -e --allmatches 'gpg-pubkey-XXXXXXXX-*'

    XXXXXXXX is the key ID in lowercase chars without 0x prefix. Example usage:

    $ rpm -e --allmatches 'gpg-pubkey-00a4d52b-*'

    This command would remove the GPG key with ID 0x00A4D52B.

  • Connect a GPG key to the RPM/YUM keyring:
    rpm --import '/path/to/public-key'

    Recent RPM versions can download keys via HTTP(S) and are even able to find ACSII-armored key blocks within HTML files. Example usage:

    $ rpm --import "http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x00A4D52B"

    This command would load the the GPG key 0x00A4D52B from a public keyserver and import it into RPM. Please note that SKS keyservers need working TCP connections on Port 11371.

Verify RPM package signatures

Signatures ensure that the packages you install are what was produced by the software maintainer and have not been altered (accidentally or maliciously) by any mirror or third party. YUM should do these checks automatically when installing something out of a repository. However, you may want to check the GPG signature of a RPM package by yourself:

rpm -Kv /path/to/example.rpm

RPM needs the correct public key for this check. If you don't know how to get it, read on to learn what to do.

A perfect real-world example is the RPM Fusion setup to configure the RPM Fusion repositories on your Fedora system. They provide setup packages to install the needed .repo files and GPG keys without hassle. But you should verify them to make sure they are not altered and are really containing the original RPM Fusion keys instead the ones an attacker is using to sign it's malicious packages for his fake repository. ;-)

Let' start. RPM Fusion says we can configure everything with the following command:4)

su -c 'yum localinstall --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm'

This would download two packages and install them without signature check (→ nogpgcheck option). They say so to make it easier for John Doe and because the risk that this one download gets poisoned is low.

However, the paranoid ones like me would do the following instead:

  1. Download the packages:
    $ wget http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm
  2. Check the package signatures:
    $ rpm -Kv rpmfusion-free-release-stable.noarch.rpm rpmfusion-nonfree-release-stable.noarch.rpm 
    rpmfusion-free-release-stable.noarch.rpm:
        Header V3 RSA/SHA256 Signature, key ID 865cc9ea: NOKEY
        Header SHA1 digest: OK (c06ac7d5f55041f442a5584727a06cd949607f3e)
        V3 RSA/SHA256 Signature, key ID 865cc9ea: NOKEY
        MD5 digest: OK (1e9c0088e06da5a3aa53f8598e10650c)
    rpmfusion-nonfree-release-stable.noarch.rpm:
        Header V3 RSA/SHA256 Signature, key ID f09d8368: NOKEY
        Header SHA1 digest: OK (c25b7b8fe9d6c2fba71b0090c67b3c90119414e2)
        V3 RSA/SHA256 Signature, key ID f09d8368: NOKEY
        MD5 digest: OK (3f738936db54b774d746566bbf632c4a)

    As you can see, the first package is signed with key 865cc9ea, the second one with key f09d8368. My example RPM does not have these keys on its keyring, therefore it can't check the signatures right now (→ key ID 865cc9ea: NOKEY and key ID f09d8368: NOKEY). To solve this, I'm just importing the needed keys:

    $ su -
    $ rpm --import "http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x865CC9EA"
    $ rpm --import "http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xF09D8368"
    $ exit

    Now I compare the key fingerprints with the ones found on their website and public keyservers to be sure they are valid:

    $ rpm -q 'gpg-pubkey-865cc9ea-*' --qf '%{description}\n' | gpg --quiet --with-fingerprint
    pub  4096R/865CC9EA 2010-04-16 RPM Fusion free repository for Fedora (14) <rpmfusion-buildsys@lists.rpmfusion.org>
          Key fingerprint = F524 6A00 7B1D 966B 38BE  4BFA 10CC 489A 865C C9EA
    $ rpm -q 'gpg-pubkey-f09d8368-*' --qf '%{description}\n' | gpg --quiet --with-fingerprint
    pub  4096R/F09D8368 2010-04-16 RPM Fusion nonfree repository for Fedora (14) <rpmfusion-buildsys@lists.rpmfusion.org>
          Key fingerprint = D620 5FB7 5E2D C090 B01D  6DEF 8064 8B53 F09D 8368

    Everything seems to be fine. RPM Fusion is using their Fedora 14 keys because these setup packages are supporting Fedora 14, 15 and 16 as I'm writing this.

  3. Let's redo the check:
    $ rpm -Kv rpmfusion-free-release-stable.noarch.rpm rpmfusion-nonfree-release-stable.noarch.rpm 
    rpmfusion-free-release-stable.noarch.rpm:
        Header V3 RSA/SHA256 Signature, key ID 865cc9ea: OK
        Header SHA1 digest: OK (c06ac7d5f55041f442a5584727a06cd949607f3e)
        V3 RSA/SHA256 Signature, key ID 865cc9ea: OK
        MD5 digest: OK (1e9c0088e06da5a3aa53f8598e10650c)
    rpmfusion-nonfree-release-stable.noarch.rpm:
        Header V3 RSA/SHA256 Signature, key ID f09d8368: OK
        Header SHA1 digest: OK (c25b7b8fe9d6c2fba71b0090c67b3c90119414e2)
        V3 RSA/SHA256 Signature, key ID f09d8368: OK
        MD5 digest: OK (3f738936db54b774d746566bbf632c4a)

    Now I'm sure the packages are valid (→ key ID 865cc9ea: OK and key ID f09d8368: OK). Let's install them to get a working RPM Fusion repository and clean up afterwards:

    $ su -c 'yum install rpmfusion-free-release-stable.noarch.rpm rpmfusion-nonfree-release-stable.noarch.rpm'
    $ rm rpmfusion-free-release-stable.noarch.rpm rpmfusion-nonfree-release-stable.noarch.rpm

Additional notes

  • RPM has got its own GPG keyring which is also used by YUM. This means you don't have to connect GPG keys to a user's keyring by using gpg --import or stuff like that if you want to verify RPM package signatures or YUM repository contents.
  • The files in /etc/pki/rpm-gpg are not the keys RPM is currently using e.g. to verify package signatures. This seems to confuse many users. AFAIK, the reason this directory is existing is mainly organizational. It is the place to keep GPG keyfiles RPM/YUM may need some day without the demand to download them from a key- or web-server.
  • YUM is able to import a repository GPG key into RPM if the gpgkey option is specified in a .repo file. YUM loads the GPG key(s) from the specified source(s) (e.g. URLs or a file in /etc/pki/rpm-gpg) if needed. This may be the case when the first package of the repository is going to be installed and signed with an unknown key. The key will be imported and the package gets installed after YUM asked the user if the key fingerprint is OK. But there is no difference between this useful wizard and a manual rmp --import of the needed key.
  • A common GPG fingerprint consists of space separated four-char blocks with two spaces between block five and six. Keep this in mind if you are using something like grep -i to verify fingerprints copied from websites. A CMS might eat the additional space when displaying content as long as a string is not marked as pre-formatted.
1)
Existing APT knowledge is pretty useless on Fedora ;-)
2) , 3)
You can make it readable with date -d @$((0xYYYYYYYY)) "+%Y-%m-%d %T"
4)
BTW: yum localinstall is outdated. From the yum manpage: “Note that the install command will do a local install, if given a filename. This option is maintained for legacy reasons only.”

Comments

No. 1 @ 2012/08/27 15:01

Great compilation ! was extremely useful.

Leave a comment…




S T F N᠎ P
  • E-Mail address will not be published.
  • Formatting:
    //italic//  __underlined__
    **bold**  ''preformatted''
  • Links:
    [[http://example.com]]
    [[http://example.com|Link Text]]
  • Quotation:
    > This is a quote. Don't forget the space in front of the text: "> "
  • Code:
    <code>This is unspecific source code</code>
    <code [lang]>This is specifc [lang] code</code>
    <code php><?php echo 'example'; ?></code>
    Available: html, css, javascript, bash, cpp, …
  • Lists:
    Indent your text by two spaces and use a * for
    each unordered list item or a - for ordered ones.
I'm no native speaker (English)
Please let me know if you find any errors (I want to improve my English skills). Thank you!
QR Code: URL of current page
QR Code: URL of current page 2012:03:06:rpm-yum-gpg-key-verification-import-deletion-package-signature-check-cheat-sheet (generated for current page)