yum import repo keys

Issues related to applications and software problems and general support
Post Reply
user123792
Posts: 2
Joined: 2021/10/22 16:26:23

yum import repo keys

Post by user123792 » 2021/10/22 16:35:16

Hey everyone,

I'm using a local mirror of the epel repo via a repofile:

Code: Select all

[epel]
gpgcheck=1
gpgkey=/etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
name=Extra Packages for Enterprise Linux $releasever - $basearch
baseurl=local-mirror/epel/$releasever/Everything/$basearch/
enabled=1
On a fresh system, installing a package from this repo brings up a prompt to import the corresponding GPG key:

Code: Select all

# yum install htop
[...]
warning: /var/cache/dnf/epel-a2f718eff71c46d7/packages/htop-3.0.5-1.el8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY
Extra Packages for Enterprise Linux 8 - x86_64                                                1.6 MB/s | 1.6 kB     00:00    
Importing GPG key 0x8483C65D:
 Userid     : "CentOS (CentOS Official Signing Key) <security@centos.org>"
 Fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
Is this ok [y/N]:
I want to trust / import the key before running the install command so the prompt does not come up, so I tried importing it manually:

Code: Select all

# rpmkeys --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
The command returned without error, and I can verify the key exists using:

Code: Select all

# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-8483c65d-5ccc5b19 --> gpg(CentOS (CentOS Official Signing Key) <security@centos.org>)
However, still the prompt comes up during installation. I know that I can pass -y to just accept all questions, but this would weaken security. I just want to trust this very single key beforehand. Any ideas?

Thanks a lot in advance!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: yum import repo keys

Post by TrevorH » 2021/10/22 16:58:41

gpgkey=/etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
Is the wrong key file for EPEL. It's the official CentOS signing key and is used for the CentOS supplied repos but EPEL has its own. The correct key file from my epel.repo is gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8

If you use yum install -y ... then it will automatically say yes to both the "are you sure you want to install this package" and the "are you sure you want to import this key" questions. You can also use rpm --import but it really helps if you import the right key ;-)
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

user123792
Posts: 2
Joined: 2021/10/22 16:26:23

Re: yum import repo keys

Post by user123792 » 2021/11/12 20:18:27

Thanks a lot for your help! I actually forgot to get back to this, but your post helped me a lot - in fact, it solved my problem instantaneously :D A bit silly that the fix was so easy and I didn't find it on my own :oops:

However, now I'm back to another CentOS system which I deployed a couple of months earlier, and apparently, the old repo file worked there like magic. Now, when I update the repo file to use the correct key file:

--- before: /etc/yum.repos.d/epel.repo
+++ after: /home/user/.ansible/tmp/ansible-local-23339d2l1ae8o/tmp8a5o4rer/hhu-centos8.repo
@@ -1,6 +1,6 @@
[epel]
gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8

changed: [host] => (item=epel)

rpmkeys fails because the file does not exist:

Code: Select all

# LANG=C ls -ahl /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
ls: cannot access '/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8': No such file or directory
Why is the file present on one CentOS 8 machine, and absent on the other? Any ideas? Thanks a lot for your help!

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: yum import repo keys

Post by jlehtone » 2021/11/12 20:39:07

Ask a question: Where does that file come from?

Code: Select all

dnf provides /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
The answer is "package epel-release", isn't it?

If you do install that package, then you also get the online epel repo defined (and enabled by default).

You have the file in one system. Copy it to others so that they can use your local mirror of epel.

Post Reply