Yum Repository GPG keys

Overview

By the end of this article you should be able to answer the following questions:


What is the command to create a repo using the baseurl as 'https://dl.fedoraproject.org/pub/epel/7/x86_64/'?
$ yum-config-manager -add-repo=https://dl.fedoraproject.org/pub/epel/7/x86_64/

What is the command?

/etc/pki/rpm-gpg/

What is the command?


What is the command?


What is the command?


What is the command?


What is the command?


What is the command?


What is the command?


What is the command?



Yum makes use of GPG keys as a way to ensure that our machine downloads rpm packages from an authenticated source.

To set up GPG keys for a yum repo, let’s first get a url for an yum repo, in our example, we’ll use the epel yum repo:

https://dl.fedoraproject.org/pub/epel/7/x86_64/

Let’s first create a .repo file for this yum repo using the yum-config-manager:

$ yum-config-manager --add-repo=https://dl.fedoraproject.org/pub/epel/7/x86_64/
Loaded plugins: fastestmirror, langpacks
adding repo from: https://dl.fedoraproject.org/pub/epel/7/x86_64/

[dl.fedoraproject.org_pub_epel_7_x86_64_]
name=added from: https://dl.fedoraproject.org/pub/epel/7/x86_64/
baseurl=https://dl.fedoraproject.org/pub/epel/7/x86_64/
enabled=1

This command generated the following .repo file:

$ cat /etc/yum.repos.d/dl.fedoraproject.org_pub_epel_7_x86_64_.repo

[dl.fedoraproject.org_pub_epel_7_x86_64_]
name=added from: https://dl.fedoraproject.org/pub/epel/7/x86_64/
baseurl=https://dl.fedoraproject.org/pub/epel/7/x86_64/
enabled=1

By default, yum-config-manager creates a repo that isn’t GPG secured. Although at this point our epel repo is in a usable state. To enable GPG for our new repo, We’ll need to append a couple more lines to our new .repo file.

To add these line, we first need to locate the epel repo’s GPG key. In this case the gpg key is located further up epel’s directory tree:

https://dl.fedoraproject.org/pub/epel/

It is best practice to download all gpg keys to the /etc/pki/rpm-gpg/ directory:

$ ls -l /etc/pki/rpm-gpg/
total 32
-rw-r--r--. 1 root root 1690 Mar 31  2015 RPM-GPG-KEY-CentOS-7
-rw-r--r--. 1 root root 1004 Mar 31  2015 RPM-GPG-KEY-CentOS-Debug-7
-rw-r--r--. 1 root root 1690 Mar 31  2015 RPM-GPG-KEY-CentOS-Testing-7
-rw-r--r--. 1 root root 1662 Nov 25  2014 RPM-GPG-KEY-EPEL-7
-rw-r--r--. 1 root root 3140 Sep 11 10:35 RPM-GPG-KEY-foreman
-rw-r--r--. 1 root root 5567 Aug 22  2014 RPM-GPG-KEY-nightly-puppetlabs
-rw-r--r--. 1 root root 1716 Aug 22  2014 RPM-GPG-KEY-puppetlabs

Therefore let’s download the epel GPG key into this directory using wget:

$ cd /etc/pki/rpm-gpg/
$ wget https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
--2015-10-06 20:28:49--  https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
Resolving dl.fedoraproject.org (dl.fedoraproject.org)... 209.132.181.24, 209.132.181.23, 209.132.181.26, ...
Connecting to dl.fedoraproject.org (dl.fedoraproject.org)|209.132.181.24|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1662 (1.6K)
Saving to: ‘RPM-GPG-KEY-EPEL-7’

100%[=============================================================>] 1,662       --.-K/s   in 0s

2015-10-06 20:28:50 (18.0 MB/s) - ‘RPM-GPG-KEY-EPEL-7’ saved [1662/1662]

Now we have to append the following lines to our new .repo file:

$ cat /etc/yum.repos.d/dl.fedoraproject.org_pub_epel_7_x86_64_.repo

[dl.fedoraproject.org_pub_epel_7_x86_64_]
name=added from: https://dl.fedoraproject.org/pub/epel/7/x86_64/
baseurl=https://dl.fedoraproject.org/pub/epel/7/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

That’s all you need to do.

Tip, some popular repos, such as the epel repo can be installed in the form of an rpm package themselves. So instead of doing all the above, you can simply do:

$ yum install epel-release

This will effectively drop in the gpg key and the .repo file in the relevant directories.