4

On a RHEL 7.4 system, I add the salt-latest repo as follows:

yum -y install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm

Notice, amongst other things, this creates the following two GPG key files:

/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt
/etc/pki/rpm-gpg/saltstack-signing-key

For later reference, notice the fingerprint of the CentOS key ends with f4a80eb5:

# gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt

pub  4096R/F4A80EB5 2014-06-23 CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>
      Key fingerprint = 6341 AB27 53D7 8A78 A7C2  7BB1 24C6 A8A7 F4A8 0EB5

Attempt to reposync download:

mkdir /root/foobar

reposync --gpgcheck --plugins --repoid=salt-latest --download_path=/root/foobar --newest-only --downloadcomps --delete --download-metadata

It fails with errors like these:

Removing babel-0.9.6-8.el7.noarch.rpm, due to missing GPG key.
Removing libyaml-0.1.4-11.el7_0.i686.rpm, due to missing GPG key.
Removing libyaml-0.1.4-11.el7_0.x86_64.rpm, due to missing GPG key.

So I manually download all the files that failed (in a for-loop) and check the signatures of their signing keys. They are all the same, so here's just one of them for example:

wget http://repo.saltstack.com/yum/redhat/7/x86_64/latest/base/babel-0.9.6-8.el7.noarch.rpm

rpm -K babel-0.9.6-8.el7.noarch.rpm

babel-0.9.6-8.el7.noarch.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#f4a80eb5)

Notice the key PGP#f4a80eb5 matches the key referenced above, F4A8 0EB5. So why is it failing the gpg check?

Things I've tried include:

  • I edited /etc/yum.repos.d/salt-latest.repo and changed the gpgkey= line. I got the same failure with all three of these variations. As far as I can tell, changing the gpgkey= line has no effect:

    gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt
    gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt
    
  • I tried running reposync without --gpgcheck. It works, but obviously, it's bad to use it this way.

    reposync --plugins --repoid=salt-latest --download_path=/root/foobar --newest-only --downloadcomps --delete --download-metadata
    
  • I wonder if reposync is refusing to use the key because it's too weak? MD5. But I couldn't think of any way to confirm or deny this.

  • I wonder if the key actually has an expiration date? But I couldn't find any way to confirm or deny this either.

Edward Ned Harvey
  • 482
  • 3
  • 6
  • 14

1 Answers1

4

I stumbled upon the answer! It seems, rpm must keep a keystore someplace separate from /etc/pki/rpm-gpg, and it seems insufficient for the gpgkey= line to be specified in the repo file.

After doing this, reposync works, and correctly validates all the signatures of all the files:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt

Also see where does rpm install custom gpg keys?. Keys are stored in the rpm database, and can be queried and removed using the following commands:

List the installed keys
    rpm -qa gpg-pubkey*

Get info about a particular installed key
    rpm -qi gpg-pubkey-db42a60e

Remove a particular installed key
    rpm -e gpg-pubkey-db42a60e

Contrary to @sciurus's answer, this information is not in the man page (at least not in RHEL 7.4).

Edward Ned Harvey
  • 482
  • 3
  • 6
  • 14