How to remove a yum repo GPG key?
Solution 1
Yum has a GPG keyring for repos that support GPG metadata signing. On my system, the relevant paths for this particular repo were:
/var/lib/yum/repos/x86_64/7/artifactory/gpgdir
/var/lib/yum/repos/x86_64/7/artifactory/gpgdir-ro
I was able to delete the GPG keys from those keyrings:
sudo gpg --homedir /var/lib/yum/repos/x86_64/7/artifactory/gpgdir --delete-key 12345678
sudo gpg --homedir /var/lib/yum/repos/x86_64/7/artifactory/gpgdir-ro --delete-key 12345678
Running sudo yum check-update
at this point still did not prompt me to accept the key. I ran sudo yum clean metadata
, and after that sudo yum check-update
did re-prompt me to accept the GPG key.
I found PackageCloud's page on YUM GPG keys helpful in arriving at this solution.
Solution 2
Using rpm you can list keys and remove them.
[root@apps2 ~]# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
gpg-pubkey-f4a80eb5-53a7ff4b gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>)
gpg-pubkey-352c64e5-52ae6884 gpg(Fedora EPEL (7) <[email protected]>)
[root@apps2 ~]# rpm -e gpg-pubkey-352c64e5-52ae6884
[root@apps2 ~]# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
gpg-pubkey-f4a80eb5-53a7ff4b gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>)
[root@apps2 ~]#
cherdt
Web applications developer. Systems administrator. Wait, which is it? Depends on the day....
Updated on September 18, 2022Comments
-
cherdt almost 2 years
I have a custom RPM repo in Artifactory, and GPG signing keys were recently enabled.
When I ran
sudo yum check-updates
I was prompted to add the key:Retrieving key from https://artifactory.example.com/myrepo/repodata/repomd.xml.key Importing GPG key 0x12345678: Userid : "John Doe <[email protected]>" Fingerprint: 1234 5678 90ab cdef 1234 5678 90ab cdef 1234 5678 From : https://artifactory.example.com/myrepo/repodata/repomd.xml.key
I added the key, which was successful. However, I would now like to remove the key. I need to add the key programmatically (e.g. via Ansible) to numerous servers, and so I would like to reproduce the same behavior as before (where I am prompted to add the key) so that I can confirm that adding the key programmatically changes this behavior.
I have tried using
yum-config-manager
to unset thegpgkey
, but the behavior remains the same (yum does not prompt me to accept the key):sudo yum-config-manager --setopt=artifactory.gpgkey='' --save
I've additionally deleted the yum cache (
sudo yum clean all
andsudo rm -rf /var/cache/yum
).How can I remove this key from the yum repo configuration?
Version info:
$ yum --version 3.4.3
-
cherdt over 6 yearsI deleted the key using rpm (
sudo rpm -e --allmatches gpg-pubkey-12345678-abcdefab
) but yum is still not prompting me to add the key. -
Eric Dand over 3 years
rpm
is notyum
; they keep separate keyrings. -
Naitsirk almost 3 yearsWith RHEL/CentOS 8 and repos managed by DNF, the keys are now stored in
/var/cache/dnf/*/pubring
.