jonuwz · April 8, 2022 08:50
diff --git a/RPM notes b/RPM notes
 Notes on RPM signatures.

 Background 
 -----------

 Yum is not rpm.
 Yum trusts signatures on yum repository metadata.
 Rpm trusts signatures on individual rpm packages.

 They have separate keyrings.


 RPM
 ----

 Common misconception :

 By convention, official rpm gpg signing keys are stored in /etc/pki/rpm-gpg
 However, this is just where the files are placed before being imported into the rpmdb.
 This is not the source of truth for which GPG keys are trusted.

 Truths:

 Trusted rpm gpg keys are located in the rpmdb
 The rpmdb is located at /var/lib/rpm, but cannot be directly modified with filesystem operations.

 Importing gpgkeys :

 You can trust a GPG key to verify rpm packages with :
 # rpm --import <location>

 where location is a path on the filesystem, or a url

 This action creates an entry in the rpmdb of the form : gpg-pubkey-<release>-<version>
 NOTE: this does not put anything in /etc/pki/rpm-gpg

 emphasis:

 importing a gpg public key creates an entry in the rpm database.
 These all have the name package name 'gpg-pubkey', and are not themselves signed.
 These packages have 'Group : Public Keys'


 Querying the list of trusted GPG keys :

 # rpm]# rpm -q gpg-pubkey --qf '%{NAME} %{VERSION} %{RELEASE} %{SUMMARY}\n'

 gpg-pubkey 8483c65d 5ccc5b19 gpg(CentOS (CentOS Official Signing Key) <[email protected]>)
 gpg-pubkey 777715e3 61e8bf8d gpg(Gitlab Packages (RPM Signing Key) <[email protected]>)

 The actual GPG key can be viewed for a specific gpg-pubkey entry in the description of the rpm
 # rpm -qi gpg-pubkey-777715e3-61e8bf8d

 or for all trusted gpg keys :
 # rpm -qi gpg-pubkey

 Removing a gpg key :

 This can be performed the same way you would remove a regular rpm

 # rpm -e gpg-pubkey-777715e3-61e8bf8d

 Checking the sinarure of an rpm on the filesystem :

 # rpm -K ./example-1.0-1.x86_64.rpm
 ./example-1.0-1.x86_64.rpm: digests SIGNATURES NOT OK

 has return code 1

 rpm -K ./example-1.0-1.x86_64.rpm
 ./example-1.0-1.x86_64.rpm: digests signatures OK

 hast return code 0


 Querying which GPG key signed an rpm package :

 This is viewable in Signature section of the 
 # rpm -qp gcc

 Or, more directly :

 # rpm -q gcc --qf '%{SIGPGP:pgpsig}\n'
 RSA/SHA256, Fri 12 Nov 2021 09:14:39 PM UTC, Key ID 05b555b38483c65d

 The Key ID is the important part. This is the tail end of the fingerprint of a gpg key.


 Assuming you have extracted and imported all the rpm gpg-pubkey keys into your own keyring, you can run :

 gpg --list-keys --fingerprint 05b555b38483c65d

 to determine the GPG key that signed the rpm.
	Notes on RPM signatures.

	Background
	-----------

	Yum is not rpm.
	Yum trusts signatures on yum repository metadata.
	Rpm trusts signatures on individual rpm packages.

	They have separate keyrings.


	RPM
	----

	Common misconception :

	By convention, official rpm gpg signing keys are stored in /etc/pki/rpm-gpg
	However, this is just where the files are placed before being imported into the rpmdb.
	This is not the source of truth for which GPG keys are trusted.

	Truths:

	Trusted rpm gpg keys are located in the rpmdb
	The rpmdb is located at /var/lib/rpm, but cannot be directly modified with filesystem operations.

	Importing gpgkeys :

	You can trust a GPG key to verify rpm packages with :
	# rpm --import <location>

	where location is a path on the filesystem, or a url

	This action creates an entry in the rpmdb of the form : gpg-pubkey-<release>-<version>
	NOTE: this does not put anything in /etc/pki/rpm-gpg

	emphasis:

	importing a gpg public key creates an entry in the rpm database.
	These all have the name package name 'gpg-pubkey', and are not themselves signed.
	These packages have 'Group : Public Keys'


	Querying the list of trusted GPG keys :

	# rpm]# rpm -q gpg-pubkey --qf '%{NAME} %{VERSION} %{RELEASE} %{SUMMARY}\n'

	gpg-pubkey 8483c65d 5ccc5b19 gpg(CentOS (CentOS Official Signing Key) <[email protected]>)
	gpg-pubkey 777715e3 61e8bf8d gpg(Gitlab Packages (RPM Signing Key) <[email protected]>)

	The actual GPG key can be viewed for a specific gpg-pubkey entry in the description of the rpm
	# rpm -qi gpg-pubkey-777715e3-61e8bf8d

	or for all trusted gpg keys :
	# rpm -qi gpg-pubkey

	Removing a gpg key :

	This can be performed the same way you would remove a regular rpm

	# rpm -e gpg-pubkey-777715e3-61e8bf8d

	Checking the sinarure of an rpm on the filesystem :

	# rpm -K ./example-1.0-1.x86_64.rpm
	./example-1.0-1.x86_64.rpm: digests SIGNATURES NOT OK

	has return code 1

	rpm -K ./example-1.0-1.x86_64.rpm
	./example-1.0-1.x86_64.rpm: digests signatures OK

	hast return code 0


	Querying which GPG key signed an rpm package :

	This is viewable in Signature section of the
	# rpm -qp gcc

	Or, more directly :

	# rpm -q gcc --qf '%{SIGPGP:pgpsig}\n'
	RSA/SHA256, Fri 12 Nov 2021 09:14:39 PM UTC, Key ID 05b555b38483c65d

	The Key ID is the important part. This is the tail end of the fingerprint of a gpg key.


	Assuming you have extracted and imported all the rpm gpg-pubkey keys into your own keyring, you can run :

	gpg --list-keys --fingerprint 05b555b38483c65d

	to determine the GPG key that signed the rpm.