Project

General

Profile

Actions

User story #6756

closed

New Technique to import a GPG Key into RPM

Added by Janos Mattyasovszky almost 6 years ago. Updated about 5 years ago.

Status:
Released
Priority:
N/A
Category:
Techniques
Target version:
Suggestion strength:
User visibility:
Effort required:

Description

On self-signed rpm-md repositories we need to import the own GPG key for it to be accepted.
Currently there is not built in Directive to do this.

Basically one needs to be able to import/verify/remove an ASCII Armored pub key using rpm --import, and it should be ensured that this key is trusted on the System.

See rpm manual:

Digital signatures cannot be verified without a public key.  An ASCII armored public key can be added to the rpm database
using --import. An imported public key is carried in a header, and key ring management is performed exactly like  package
management. For example, all currently imported public keys can be displayed by:

rpm -qa gpg-pubkey*

Details  about  a specific public key, when imported, can be displayed by querying.  Here's information about the Red Hat
GPG/DSA key:

rpm -qi gpg-pubkey-db42a60e

Finally, public keys can be erased after importing just like packages. Here's how to remove the Red Hat GPG/DSA key

rpm -e gpg-pubkey-db42a60e


Subtasks 2 (0 open2 closed)

Bug #8003: update list of technique in maintained techniqueReleasedBenoît PECCATTE2016-02-29Actions
Bug #8011: Technique check repository gpg key doesn't follow the normal orderingReleasedBenoît PECCATTE2016-03-01Actions

Related issues

Related to Rudder - Bug #4876: On SLES, zypper repositories configured by Rudder request a GPG key check at each manual execution of CFEngine agentRejected2014-05-21Actions
Has duplicate Rudder - User story #3371: APT package manager should manage GPG keys for added reposRejected2013-03-22Actions
Actions #1

Updated by Nicolas CHARLES almost 6 years ago

  • Category set to Techniques

Hi Janos,

thank you for this suggestion. Is there an easy way to check if a key is already accepted, without running rpm ? Does it stores the keys in a specific location ?

Actions #2

Updated by Janos Mattyasovszky almost 6 years ago

Hi,

GPG Keys are identified by the Pubkey's signature, and are handled as "meta RPM packages", like these:

# rpm -qa gpg-pubkey\*
gpg-pubkey-b37b98a9-4be01a1a
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-9c800aca-4be01999
gpg-pubkey-512adb3c-544a7777
gpg-pubkey-6a89acb9-54f5c0fa
gpg-pubkey-3d25d3d9-36e12d04
gpg-pubkey-cb53db96-544a7c27

They are stored in the /var/lib/rpm Directory in flatfile-Based BDB (Berkeley Database) Files:

# file /var/lib/rpm/Packages
/var/lib/rpm/Packages: Berkeley DB (Hash, version 8, native byte-order)

# db_stat -d /var/lib/rpm/Packages
Tue Jun 30 14:08:44 2015        Local time
61561   Hash magic number
8       Hash version number
Little-endian   Byte order
        Flags
4096    Underlying database page size
0       Specified fill factor
750     Number of keys in the database
750     Number of data items in the database
4       Number of hash buckets
600     Number of bytes free on bucket pages (96% ff)
6974    Number of overflow pages
1468848 Number of bytes free in overflow pages (94% ff)
1       Number of bucket overflow pages
4007    Number of bytes free in bucket overflow pages (2% ff)
0       Number of duplicate pages
0       Number of bytes free in duplicate pages (0% ff)
744     Number of pages on the free list

There is not easy way to check for the existence of any imported GPG Key without using RPM, that's designed to handle these files, except of using some kind of DB-Manipulation self-compiled C Program using BDB Bindings, which is absolute non sense, as RPM is basically the binary to handle this format :)

And the impact of an RPM call is way below anything worth mentioning:

# time (rpm --quiet -q gpg-pubkey-6a89acb9-54f5c0fa; echo $?)
0

real    0m0.036s
user    0m0.016s
sys     0m0.016s

# time (rpm --quiet -q gpg-pubkey-6a89acb9-foobarxx; echo $?)
1

real    0m0.033s
user    0m0.016s
sys     0m0.012s

There are way bigger things that eat away performance :-)

Actions #3

Updated by Janos Mattyasovszky over 5 years ago

  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/763

Please review and merge if acceptable:

https://github.com/Normation/rudder-techniques/pull/763

thx
Janos

Actions #4

Updated by Janos Mattyasovszky over 5 years ago

  • Assignee set to Nicolas CHARLES
Actions #5

Updated by Janos Mattyasovszky over 5 years ago

  • Pull Request changed from https://github.com/Normation/rudder-techniques/pull/763 to https://github.com/Normation/rudder-techniques/pull/764
Actions #6

Updated by Alexis MOUSSET about 5 years ago

  • Related to Bug #4876: On SLES, zypper repositories configured by Rudder request a GPG key check at each manual execution of CFEngine agent added
Actions #7

Updated by Janos Mattyasovszky about 5 years ago

  • Status changed from New to Pending release
  • % Done changed from 0 to 100
Actions #8

Updated by Nicolas CHARLES about 5 years ago

  • Related to Bug #8003: update list of technique in maintained technique added
Actions #9

Updated by Nicolas CHARLES about 5 years ago

  • Related to Bug #8011: Technique check repository gpg key doesn't follow the normal ordering added
Actions #10

Updated by Vincent MEMBRÉ about 5 years ago

  • Target version set to 2.11.19
Actions #11

Updated by Alexis MOUSSET about 5 years ago

  • Has duplicate User story #3371: APT package manager should manage GPG keys for added repos added
Actions #12

Updated by Vincent MEMBRÉ about 5 years ago

  • Subject changed from Please create technique to import a GPG Key into RPM to New Technique to import a GPG Key into RPM
Actions #13

Updated by Vincent MEMBRÉ about 5 years ago

  • Related to deleted (Bug #8003: update list of technique in maintained technique)
Actions #14

Updated by Vincent MEMBRÉ about 5 years ago

  • Related to deleted (Bug #8011: Technique check repository gpg key doesn't follow the normal ordering)
Actions #15

Updated by Vincent MEMBRÉ about 5 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.11.19, 3.0.14, 3.1.8 and 3.2.1 which were released today.

Actions

Also available in: Atom PDF