User story #6756
closed
New Technique to import a GPG Key into RPM
Description
On self-signed rpm-md repositories we need to import the own GPG key for it to be accepted.
Currently there is not built in Directive to do this.
Basically one needs to be able to import/verify/remove an ASCII Armored pub key using rpm --import, and it should be ensured that this key is trusted on the System.
See rpm manual:
Digital signatures cannot be verified without a public key. An ASCII armored public key can be added to the rpm database using --import. An imported public key is carried in a header, and key ring management is performed exactly like package management. For example, all currently imported public keys can be displayed by: rpm -qa gpg-pubkey* Details about a specific public key, when imported, can be displayed by querying. Here's information about the Red Hat GPG/DSA key: rpm -qi gpg-pubkey-db42a60e Finally, public keys can be erased after importing just like packages. Here's how to remove the Red Hat GPG/DSA key rpm -e gpg-pubkey-db42a60e
Updated by Nicolas CHARLES over 9 years ago
- Category set to Techniques
Hi Janos,
thank you for this suggestion. Is there an easy way to check if a key is already accepted, without running rpm ? Does it stores the keys in a specific location ?
Updated by Janos Mattyasovszky over 9 years ago
Hi,
GPG Keys are identified by the Pubkey's signature, and are handled as "meta RPM packages", like these:
# rpm -qa gpg-pubkey\* gpg-pubkey-b37b98a9-4be01a1a gpg-pubkey-307e3d54-4be01a65 gpg-pubkey-9c800aca-4be01999 gpg-pubkey-512adb3c-544a7777 gpg-pubkey-6a89acb9-54f5c0fa gpg-pubkey-3d25d3d9-36e12d04 gpg-pubkey-cb53db96-544a7c27
They are stored in the /var/lib/rpm Directory in flatfile-Based BDB (Berkeley Database) Files:
# file /var/lib/rpm/Packages
/var/lib/rpm/Packages: Berkeley DB (Hash, version 8, native byte-order)
# db_stat -d /var/lib/rpm/Packages
Tue Jun 30 14:08:44 2015 Local time
61561 Hash magic number
8 Hash version number
Little-endian Byte order
Flags
4096 Underlying database page size
0 Specified fill factor
750 Number of keys in the database
750 Number of data items in the database
4 Number of hash buckets
600 Number of bytes free on bucket pages (96% ff)
6974 Number of overflow pages
1468848 Number of bytes free in overflow pages (94% ff)
1 Number of bucket overflow pages
4007 Number of bytes free in bucket overflow pages (2% ff)
0 Number of duplicate pages
0 Number of bytes free in duplicate pages (0% ff)
744 Number of pages on the free list
There is not easy way to check for the existence of any imported GPG Key without using RPM, that's designed to handle these files, except of using some kind of DB-Manipulation self-compiled C Program using BDB Bindings, which is absolute non sense, as RPM is basically the binary to handle this format :)
And the impact of an RPM call is way below anything worth mentioning:
# time (rpm --quiet -q gpg-pubkey-6a89acb9-54f5c0fa; echo $?) 0 real 0m0.036s user 0m0.016s sys 0m0.016s # time (rpm --quiet -q gpg-pubkey-6a89acb9-foobarxx; echo $?) 1 real 0m0.033s user 0m0.016s sys 0m0.012s
There are way bigger things that eat away performance :-)
Updated by Janos Mattyasovszky about 9 years ago
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/763
Please review and merge if acceptable:
https://github.com/Normation/rudder-techniques/pull/763
thx
Janos
Updated by Janos Mattyasovszky about 9 years ago
- Assignee set to Nicolas CHARLES
Updated by Janos Mattyasovszky about 9 years ago
- Pull Request changed from https://github.com/Normation/rudder-techniques/pull/763 to https://github.com/Normation/rudder-techniques/pull/764
Updated by Alexis Mousset almost 9 years ago
- Related to Bug #4876: On SLES, zypper repositories configured by Rudder request a GPG key check at each manual execution of CFEngine agent added
Updated by Janos Mattyasovszky over 8 years ago
- Status changed from New to Pending release
- % Done changed from 0 to 100
Applied in changeset rudder-techniques|8fb8ce0cc34d9180d17719e8885d7724b8160838.
Updated by Nicolas CHARLES over 8 years ago
- Related to Bug #8003: update list of technique in maintained technique added
Updated by Nicolas CHARLES over 8 years ago
- Related to Bug #8011: Technique check repository gpg key doesn't follow the normal ordering added
Updated by Alexis Mousset over 8 years ago
- Has duplicate User story #3371: APT package manager should manage GPG keys for added repos added
Updated by Vincent MEMBRÉ over 8 years ago
- Subject changed from Please create technique to import a GPG Key into RPM to New Technique to import a GPG Key into RPM
Updated by Vincent MEMBRÉ over 8 years ago
- Related to deleted (Bug #8003: update list of technique in maintained technique)
Updated by Vincent MEMBRÉ over 8 years ago
- Related to deleted (Bug #8011: Technique check repository gpg key doesn't follow the normal ordering)
Updated by Vincent MEMBRÉ over 8 years ago
- Status changed from Pending release to Released