In this tutorial, we will explore how to manage archive signing keys on CentOS. Archive signing keys are crucial for ensuring the integrity and authenticity of software packages installed on your system. Knowing how to list, import, and remove these keys is an essential skill for maintaining a secure and well-functioning CentOS environment.
In this tutorial you will learn:
How to list existing archive signing keys on CentOS
Software Requirements and Linux Command Line Conventions
Category
Requirements, Conventions or Software Version Used
System
CentOS 6, 7, 8, 9 or higher
Software
gnupg, rpm
Other
Internet connection for importing keys
Conventions
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command $ – requires given linux commands to be executed as a regular non-privileged user
Managing Archive Signing Keys on CentOS
Managing archive signing keys on CentOS involves listing the currently installed keys, importing new ones to validate software packages from different repositories, and removing outdated or unnecessary keys. Below are the detailed steps for each of these tasks.
Listing Existing Archive Signing Keys: To list all the archive signing keys currently installed on your CentOS system, you can use the following command. This will show you the keys that your system trusts for package installations.
# rpm -qa gpg-pubkey
This command queries the RPM database for all installed GPG public keys, displaying their IDs and installation dates. For example, the output might look like this:
gpg-pubkey-8483c65d-5ccc5b1a
Importing New Archive Signing Keys: When you add a new repository, you might need to import its signing key to ensure the packages from the repository are trusted. Refer to the table below for all available CentOS signing keys and links. Use the following command to import a new key.
This command imports the specified GPG key into the RPM database, allowing your system to trust packages signed with this key. You can verify the import by listing the keys again:
# rpm -qa gpg-pubkey
After importing the key, you might see:
gpg-pubkey-8483c65d-5ccc5b1a
Getting Details of Installed Keys: To get detailed information about the installed GPG keys, use the following command:
gpg-pubkey-8483c65d-5ccc5b1a CentOS (CentOS Official Signing Key) <security@centos.org> public key
Removing Archive Signing Keys: If you no longer need a particular signing key, you can remove it from your system to avoid trusting outdated or untrusted keys. First, list the keys to find the key ID you want to remove:
# rpm -qa gpg-pubkey
Then, use the key ID to remove the specific key:
# rpm -e gpg-pubkey-8483c65d-5ccc5b1a
This command erases the specified GPG key from the RPM database.
The CentOS Project currently uses the following keys. Please note that CentOS Linux releases may have multiple GPG keys assigned, depending on the release and architecture. For CentOS 8, however, a single key will be used across all architectures and future releases. Special Interest Groups (SIGs) will continue to use separate keys as listed below.
Managing archive signing keys on CentOS is a vital aspect of system administration that ensures the integrity and security of your software packages. By following the steps outlined in this tutorial, you can effectively list, import, and remove GPG keys, maintaining a trusted environment for your CentOS system. Proper management of these keys helps prevent security issues and ensures that you are always installing verified and trustworthy software.
