Table of Contents
Introduction
GPG Keys or GNU Privacy Guard is used to making sure that we are getting the right package from a trusted repository. Moreover, it can be used for any secure transmission over the network. For Instance, we can send an encrypted signed message with attachments over the internet.
Existing Default GPG Keys
We can find the default installed RPM GPG keys under below location.
# ls -lthr /etc/pki/rpm-gpg/[root@rocket ~]# ls -lthr /etc/pki/rpm-gpg/
total 8.0K
-rw-r--r--. 1 root root 1.7K Mar 12 23:16 RPM-GPG-KEY-centostesting
-rw-r--r--. 1 root root 1.7K Mar 12 23:16 RPM-GPG-KEY-centosofficial
[root@rocket ~]#Installing a Package without GPG Keys
Installing a package without a valid singing key is possible. However, in a critical production environment, you have to adhere to your company security policy to implement a strict GPG check for all packages including local install.
In this guide, we are performing a local install which strictly looks for a valid signing GPG key. Hence the key is not available in server it’s failed with error “Error: GPG check FAILED“.
[root@rocket ~]# yum localinstall filebeat-7.6.2-x86_64.rpm
Install 1 Package
Total size: 24 M
Installed size: 77 M
Is this ok [y/N]: y
Downloading Packages:
warning: /root/filebeat-7.6.2-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Public key for filebeat-7.6.2-x86_64.rpm is not installed
Error: GPG check FAILED
[root@rocket ~]#Verifying before Installation
Before installing a package, we can verify whether the signing GPG is in place for the RPM by using -K option.
[root@rocket ~]# rpmkeys -K filebeat-7.6.2-x86_64.rpm
filebeat-7.6.2-x86_64.rpm: digests SIGNATURES NOT OK
[root@rocket ~]#-K --checksig | verify package signature(s)
Importing GPG Key
Before installing any third package import the signing GPG key using rpm command with options. Let’s try to install file-beat package with it’s signing key from elastic.
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearchRight after importing the key let’s check for the signing key.
[root@rocket ~]# rpmkeys -K filebeat-7.6.2-x86_64.rpm
filebeat-7.6.2-x86_64.rpm: digests signatures OK
[root@rocket ~]#Printing installed GPG Keys
To list all the installed GPG key we use below command.
[root@rocket ~]# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
gpg-pubkey-8483c65d-5ccc5b19 gpg(CentOS (CentOS Official Signing Key) security@centos.org)
gpg-pubkey-d88e42b4-52371eca gpg(Elasticsearch (Elasticsearch Signing Key) dev_ops@elasticsearch.org)
[root@rocket ~]#- rpm – rpm command
- -q – query
- –qf – Query format
Installing a Package with GPG Key
Let’s try to install a package, Now it should go through smoothly without throwing any errors as before.
Running transaction
Preparing : 1/1
Installing : filebeat-7.6.2-1.x86_64 1/1
Running scriptlet: filebeat-7.6.2-1.x86_64 1/1
Verifying : filebeat-7.6.2-1.x86_64 1/1
Installed:
filebeat-7.6.2-1.x86_64
Complete!
[root@rocket ~]#Finally, Let’s see how to remove a GPG key.
Removing a GPG Key
From the above output we are getting two keys, Let’s remove Elastic-search Key and verify the same.
# rpm -e gpg-pubkey-d88e42b4-52371ecaAfter removing elastic key we are having only one key now.
[root@rocket ~]# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
gpg-pubkey-8483c65d-5ccc5b19 gpg(CentOS (CentOS Official Signing Key) security@centos.org)
[root@rocket ~]#That’s it, We have successfully completed with importing and removing a GPG key.
Conclusion
By importing the GPG key for any third party packages we are sure that getting the right package from a trusted repository. Subscribe to our newsletter for more updates.