How to remove a yum repo GPG key?

centos centos7 yum gpg

10,960

Solution 1

Yum has a GPG keyring for repos that support GPG metadata signing. On my system, the relevant paths for this particular repo were:

/var/lib/yum/repos/x86_64/7/artifactory/gpgdir
/var/lib/yum/repos/x86_64/7/artifactory/gpgdir-ro

I was able to delete the GPG keys from those keyrings:

sudo gpg --homedir /var/lib/yum/repos/x86_64/7/artifactory/gpgdir --delete-key 12345678
sudo gpg --homedir /var/lib/yum/repos/x86_64/7/artifactory/gpgdir-ro --delete-key 12345678

Running sudo yum check-update at this point still did not prompt me to accept the key. I ran sudo yum clean metadata, and after that sudo yum check-update did re-prompt me to accept the GPG key.

I found PackageCloud's page on YUM GPG keys helpful in arriving at this solution.

Solution 2

Using rpm you can list keys and remove them.

[root@apps2 ~]# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
gpg-pubkey-f4a80eb5-53a7ff4b    gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>)
gpg-pubkey-352c64e5-52ae6884    gpg(Fedora EPEL (7) <[email protected]>)
[root@apps2 ~]# rpm -e gpg-pubkey-352c64e5-52ae6884
[root@apps2 ~]# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
gpg-pubkey-f4a80eb5-53a7ff4b    gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>)
[root@apps2 ~]#

10,960

Author by

cherdt

Web applications developer. Systems administrator. Wait, which is it? Depends on the day....

Updated on September 18, 2022

Comments

cherdt almost 2 years
I have a custom RPM repo in Artifactory, and GPG signing keys were recently enabled.

When I ran sudo yum check-updates I was prompted to add the key:
```
Retrieving key from https://artifactory.example.com/myrepo/repodata/repomd.xml.key
Importing GPG key 0x12345678:
 Userid     : "John Doe <[email protected]>"
 Fingerprint: 1234 5678 90ab cdef 1234 5678 90ab cdef 1234 5678
 From       : https://artifactory.example.com/myrepo/repodata/repomd.xml.key
```
I added the key, which was successful. However, I would now like to remove the key. I need to add the key programmatically (e.g. via Ansible) to numerous servers, and so I would like to reproduce the same behavior as before (where I am prompted to add the key) so that I can confirm that adding the key programmatically changes this behavior.

I have tried using yum-config-manager to unset the gpgkey, but the behavior remains the same (yum does not prompt me to accept the key):
```
sudo yum-config-manager --setopt=artifactory.gpgkey='' --save
```
I've additionally deleted the yum cache (sudo yum clean all and sudo rm -rf /var/cache/yum).

How can I remove this key from the yum repo configuration?

Version info:
```
$ yum --version
3.4.3
```
cherdt over 6 years

I deleted the key using rpm (sudo rpm -e --allmatches gpg-pubkey-12345678-abcdefab) but yum is still not prompting me to add the key.
Eric Dand over 3 years

rpm is not yum; they keep separate keyrings.
Naitsirk almost 3 years

With RHEL/CentOS 8 and repos managed by DNF, the keys are now stored in /var/cache/dnf/*/pubring.