[Yum-devel] GPG key importing
skvidal at phy.duke.edu
Tue Dec 14 09:06:06 UTC 2004
On Mon, 2004-12-13 at 23:39 +1000, Menno Smits wrote:
> I'm working on getting yum to import GPG keys into RPM itself. There
> will be a per rep "gpgkey" option that points to a disk file or URL
> where the repository's public key is.
> After some experimentation I think the best approach is that if
> gpgcheck=1 and the public key for an RPM to be installed is missing and
> the gpgkey option is set, then the key is downloaded and installed.
> The one problem with this is that it may lead to keys being imported
> multiple times (eg. if the gpgkey option is pointing to the wrong key).
> RPM does nothing to prevent this.
But it also doesn't really care if they do get imported more than once.
However, I agree with you for cleanliness it should be imported only
> The obvious way to avoid duplicate imports is to check the key ID of the
> downloaded key before attempting an import. It's easy to check if a
> given key ID is already installed. The hard part is parsing out key ID
> of the downloaded key. I could either implement some of RFC2440 to
> extract the key ID (could be tricky) or use GPG to do it (adds a
> dependency for yum on the GPG binary).
> Does anyone know of another way to handle this?
not really, unfortunately.
> Also, does anyone know what the release field of an imported GPG key is?
> The version field is the key ID but can't find a number that corresponds
> to the release field.
Check the importKey functions in the rpm sources. I know the release
field is explained there I just can't remember what it is.
The other thing of importance is that rpm 4.4 is changing all this. It's
doing some automatic-key-verification bits.
So you will want to keep that in the back of your mind. My interest in
what you're suggesting for yum is for systems running rpm 4.2, 4.3 etc
for 'semiautomatic' importing of gpg keys.
A couple of things to think about:
- what to do when sys.stdin is not a tty
- what to do when yum is invoked -y or assumeyes is set in the config
other than that - I say cool.
More information about the Yum-devel