#3022 Issue closed: Where can I find the public GPG keys used to verfiy packages published?¶
Labels: support / question, fixed / solved / done
guru4712 opened issue at 2023-06-27 10:18:¶
My question addresses in particular the package found at
http://download.opensuse.org/repositories/Archiving:/Backup:/Rear/CentOS_8/x86_64/rear-2.7-1.el8.x86_64.rpm
but might be also of interest for other distros / versions.
jsmeix commented at 2023-06-28 09:04:¶
I am not a CentOS user so I cannot provide information
that is specific for CentOS.
On
http://download.opensuse.org/repositories/Archiving:/Backup:/Rear/CentOS_8/repodata/
there is the file
repomd.xml.key
I downloaded it and got (excerpts):
# gpg -vv repomd.xml.key
...
keyid: 1B4DD1E2FFC8DD5F
...
:user ID packet: "Archiving:Backup:Rear OBS Project <Archiving:Backup:Rear@build.opensuse.org>"
...
:signature packet: algo 1, keyid 1B4DD1E2FFC8DD5F
...
I also downloaded
http://download.opensuse.org/repositories/Archiving:/Backup:/Rear/CentOS_8/x86_64/rear-2.7-1.el8.x86_64.rpm
and got
# rpm -qip rear-2.7-1.el8.x86_64.rpm | grep Signature
Signature : RSA/SHA256, Thu 14 Jul 2022 10:17:16 AM CEST, Key ID 1b4dd1e2ffc8dd5f
and the "Key ID 1b4dd1e2ffc8dd5f" in rear-2.7-1.el8.x86_64.rpm
matches "keyid: 1B4DD1E2FFC8DD5F" in repomd.xml.key (ignoring case).
To use rpm --checksig rear-2.7-1.el8.x86_64.rpm
one has to first import the key into RPM (as 'root') via
# rpm --import /path/to/repomd.xml.key
so afterwards it is shown in RPM like (excerpt)
# rpm -q --queryformat "%{NAME}-%{VERSION}-%{RELEASE} {SUMMARY}\n" $( rpm -q gpg-pubkey )
...
gpg-pubkey-ffc8dd5f-62334ed5 gpg(Archiving:Backup:Rear OBS Project <Archiving:Backup:Rear@build.opensuse.org>)
so that finally one gets
# rpm --checksig rear-2.7-1.el8.x86_64.rpm
rear-2.7-1.el8.x86_64.rpm: digests signatures OK
To remove that key from RPM use (as 'root')
# rpm -e gpg-pubkey-ffc8dd5f-62334ed5
and then one gets
# rpm --checksig rear-2.7-1.el8.x86_64.rpm
rear-2.7-1.el8.x86_64.rpm: digests SIGNATURES NOT OK
guru4712 commented at 2023-06-29 11:25:¶
Thanks a lot!
[Export of Github issue for rear/rear.]