How to get yum to use the already imported gpg keys?
This is a cargo-cult workaround that seems to work for automating key import:
yum -q makecache -y --disablerepo='*' --enablerepo=THENEWREPO
Related videos on Youtube
SauceCode
Updated on September 18, 2022Comments
-
SauceCode almost 2 years
I am trying to add an external repository inside the
yum.repos.d
directory. The packages and metadata for that repository are signed with a gpg key. In case it's relevant, I'm on CentOS 7.2So far as I can tell, the traditional way to set up the repository is to include a link to the gpg key inside the repository file.
That is, the file
example.repo
inside/etc/yum.repos.d
contains the line:gpgkey = https://example.com/repo/key
Then if you run
yum update
, you get a[y/N]
prompt to import the GPG key, and if instead you runyum -y update
the key gets imported automatically. So far so normal.As an experiment, I tried removing the gpg-key download link from the repo file, and instead adding the key manually.
wget -O key https://example.com/repo/key
rpm --import key
and verify with
rpm -qa gpg-pubkey*
My expectation was that this would enable
yum update
to go through without raising the[y/N]
prompt. But it didn't work - I still got the prompt asking me to import the key which I already imported. I tried in addition, removing thegpgkey
entry from the repo file, but in that caseyum update
simply threw an error (since I also havegpgcheck = 1
andrepo_gpgcheck = 1
).Why does this matter? Well, it seems to me that if you want to automate this process, then you are required to trust the https transport through which the key is downloaded. That's fine, but then the GPG key is not really adding any security, beyond verifying that the package downloaded properly.
In short, I think either I'm missing a trick to make yum recognize that I already imported the key, or the GPG keys really aren't adding much beyond plain old https. Any clues?
-
Admin over 7 yearsThat prompt will only show up once. After you tell it 'y', it will not ask about that repo again. It does this on every new installation I've ever encountered.
-
Admin over 7 yearsTrue - I'm referring to the situation where you're looking at automating the whole thing.
-
Admin almost 6 yearsThanks @SauceCode and @davor-cubranic for posting. Every other article suggests that if you do
rpm --import key
you'll be fine. After digging, I can see that after you run Davor's yum command or type "Y" to accept, a directory is created: /var/lib/yum/repos/<arch>/<class>/<reponame>/gpgdir. It contains a GPG public keyring and trustdb which yum uses to verify trust. Anyway, thanks again for this question & solution!
-
-
Eric Dand over 3 yearsThis is untrue; the
yum.conf
man page makes no mention of anyrepo_gpgkey
field. There'srepo_gpgcheck
, which controls whether the GPG check is done, but norepo_gpgkey
field specifying the keys used for that check. -
Davor Cubranic over 3 yearsThanks @EricDand. It's been a while since I wrote that answer, and now I've no idea where I got that info. (It's definitely not in the linked
yum.conf
man page.) I'll take out that part of the answer, but the "cargo-cult" way of automating it still stands.