Import RPM Signing GPG keys on CentOS 8

Introduction

GPG Keys or GNU Privacy Guard is used to making sure that we are getting the right package from a trusted repository. Moreover, it can be used for any secure transmission over the network. For Instance, we can send an encrypted signed message with attachments over the internet.

GPG Keys
GPG Key

Existing Default GPG Keys

We can find the default installed RPM GPG keys under below location.

# ls -lthr /etc/pki/rpm-gpg/
[root@rocket ~]# ls -lthr /etc/pki/rpm-gpg/
 total 8.0K
 -rw-r--r--. 1 root root 1.7K Mar 12 23:16 RPM-GPG-KEY-centostesting
 -rw-r--r--. 1 root root 1.7K Mar 12 23:16 RPM-GPG-KEY-centosofficial
[root@rocket ~]#

Installing a Package without GPG Keys

Installing a package without a valid singing key is possible. However, in a critical production environment, you have to adhere to your company security policy to implement a strict GPG check for all packages including local install.

In this guide, we are performing a local install which strictly looks for a valid signing GPG key. Hence the key is not available in server it’s failed with error “Error: GPG check FAILED“.

[root@rocket ~]# yum localinstall filebeat-7.6.2-x86_64.rpm
 Install 1 Package
 Total size: 24 M
 Installed size: 77 M
 Is this ok [y/N]: y
 Downloading Packages:
 warning: /root/filebeat-7.6.2-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
 Public key for filebeat-7.6.2-x86_64.rpm is not installed
 Error: GPG check FAILED
[root@rocket ~]#

Verifying before Installation

Before installing a package, we can verify whether the signing GPG is in place for the RPM by using -K option.

[root@rocket ~]# rpmkeys -K filebeat-7.6.2-x86_64.rpm
 filebeat-7.6.2-x86_64.rpm: digests SIGNATURES NOT OK
[root@rocket ~]#

-K --checksig | verify package signature(s)

Importing GPG Key

Before installing any third package import the signing GPG key using rpm command with options. Let’s try to install file-beat package with it’s signing key from elastic.

# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

Right after importing the key let’s check for the signing key.

[root@rocket ~]# rpmkeys -K filebeat-7.6.2-x86_64.rpm
 filebeat-7.6.2-x86_64.rpm: digests signatures OK
[root@rocket ~]#

Printing installed GPG Keys

To list all the installed GPG key we use below command.

[root@rocket ~]# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
 gpg-pubkey-8483c65d-5ccc5b19 gpg(CentOS (CentOS Official Signing Key) security@centos.org)
 gpg-pubkey-d88e42b4-52371eca gpg(Elasticsearch (Elasticsearch Signing Key) dev_ops@elasticsearch.org)
[root@rocket ~]#
  • rpm – rpm command
  • -q – query
  • –qf – Query format

Installing a Package with GPG Key

Let’s try to install a package, Now it should go through smoothly without throwing any errors as before.

Running transaction
Preparing : 1/1
Installing : filebeat-7.6.2-1.x86_64 1/1
Running scriptlet: filebeat-7.6.2-1.x86_64 1/1
Verifying : filebeat-7.6.2-1.x86_64 1/1
Installed:
filebeat-7.6.2-1.x86_64
Complete!
[root@rocket ~]#

Finally, Let’s see how to remove a GPG key.

Removing a GPG Key

From the above output we are getting two keys, Let’s remove Elastic-search Key and verify the same.

# rpm -e gpg-pubkey-d88e42b4-52371eca

After removing elastic key we are having only one key now.

[root@rocket ~]# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
 gpg-pubkey-8483c65d-5ccc5b19 gpg(CentOS (CentOS Official Signing Key) security@centos.org)
[root@rocket ~]#

That’s it, We have successfully completed with importing and removing a GPG key.

Conclusion

By importing the GPG key for any third party packages we are sure that getting the right package from a trusted repository. Subscribe to our newsletter for more updates.