2012-03-06 // RPM/YUM GPG keys: verification, import, deletion, package signature check and additional notes

I'm fairly new to the Red Hat and Fedora Linux eco-system. Therefore I just wanted to teach myself some details about RPM and YUM today, especially how to use the commands to handle package signatures and repository GPG keys.¹⁾ I noticed many unanswered forum postings during my research. That's why I decided to write this little blog entry, helping search-engine users to find more answers than questions.

• List all GPG keys on the RPM/YUM keyring:

  rpm -q 'gpg-pubkey-*' | sort

  The GPG keys are handled as gpg-pubkey-XXXXXXXX-YYYYYYYY packages. XXXXXXXX is the key ID in lowercase chars without 0x prefix. YYYYYYYY is the key creation time as unix timestamp in hex without 0x prefix.²⁾ Example usage:

  $ rpm -q 'gpg-pubkey-*' | sort
  gpg-pubkey-00a4d52b-4cb9dd70
  gpg-pubkey-069c8460-4d5067bf

  As you can see, my example RPM knows about the GPG keys 0x00A4D52B and 0x069C8460.

• List all GPG keys on the RPM/YUM keyring with a brief description:

   rpm -q 'gpg-pubkey-*' --qf '%{name}-%{version}-%{release} -> %{summary}\n'

  The GPG keys are handled as gpg-pubkey-XXXXXXXX-YYYYYYYY packages. XXXXXXXX is the key ID in lowercase chars without 0x prefix. YYYYYYYY is the key creation time as unix timestamp in hex without 0x prefix.³⁾ Example usage:

  $ rpm -q 'gpg-pubkey-*' --qf '%{name}-%{version}-%{release} -> %{summary}\n'
  gpg-pubkey-069c8460-4d5067bf -> gpg(Fedora (15) <fedora@fedoraproject.org>)
  gpg-pubkey-00a4d52b-4cb9dd70 -> gpg(RPM Fusion free repository for Fedora (15) <rpmfusion-buildsys@lists.rpmfusion.org>)

  As you can see, my example RPM knows about the GPG keys 0x00A4D52B and 0x069C8460.

• List all GPG keys on the RPM/YUM keyring with all details:

  rpm -qi 'gpg-pubkey-*'

• Check the fingerprint of a GPG key on the RPM/YUM keyring:

  rpm -q 'gpg-pubkey-XXXXXXXX-*' --qf '%{description}\n' | gpg --quiet --with-fingerprint

  XXXXXXXX is the key ID in lowercase chars without 0x prefix. Example usage:

  $ rpm -q 'gpg-pubkey-069c8460-*' --qf '%{description}\n' | gpg --quiet --with-fingerprint
  pub  4096R/069C8460 2011-02-07 Fedora (15) <fedora@fedoraproject.org>
        Key fingerprint = 25DB B54B DED7 0987 F4C1  0042 B4EB F579 069C 8460

• Remove / delete a GPG key from the the RPM/YUM keyring:

  rpm -e --allmatches 'gpg-pubkey-XXXXXXXX-*'

  XXXXXXXX is the key ID in lowercase chars without 0x prefix. Example usage:

  $ rpm -e --allmatches 'gpg-pubkey-00a4d52b-*'

  This command would remove the GPG key with ID 0x00A4D52B.

• Connect a GPG key to the RPM/YUM keyring:

  rpm --import '/path/to/public-key'

  Recent RPM versions can download keys via HTTP(S) and are even able to find ACSII-armored key blocks within HTML files. Example usage:

  $ rpm --import "http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x00A4D52B"

  This command would load the the GPG key 0x00A4D52B from a public keyserver and import it into RPM. Please note that SKS keyservers need working TCP connections on Port 11371.

Signatures ensure that the packages you install are what was produced by the software maintainer and have not been altered (accidentally or maliciously) by any mirror or third party. YUM should do these checks automatically when installing something out of a repository. However, you may want to check the GPG signature of a RPM package by yourself:

rpm -Kv /path/to/example.rpm

RPM needs the correct public key for this check. If you don't know how to get it, read on to learn what to do.

A perfect real-world example is the RPM Fusion setup to configure the RPM Fusion repositories on your Fedora system. They provide setup packages to install the needed .repo files and GPG keys without hassle. But you should verify them to make sure they are not altered and are really containing the original RPM Fusion keys instead the ones an attacker is using to sign it's malicious packages for his fake repository.

Let' start. RPM Fusion says we can configure everything with the following command:⁴⁾

Read more…