[Yum-devel] [PATCH] semi-automated GPG key imports

Menno Smits menno-yum at freshfoo.com
Thu Dec 30 05:55:49 UTC 2004

Hi all,

Please find attached a patch to allow yum to automatically install GPG 
keys as required. Additionally the attached pgpmsg.py should be added to 
the yum/ dir of the source tree (this is unmodified from the original).

I've tested the pgpmsg.py module extensively against many keys and I 
can't fault it although you do need to know what to look for sometimes.

The implementation works as discussed earlier on this list, that is:

* A URL pointing to the GPG key for each repo is set via "gpgkey" option
* If a GPG signature check for for a package fails and gpgkey is set for
   the repo then the remote key is downloaded and parsed.
* If the key has already been imported locally an error is given and yum
* Otherwise, the user is prompted (with the user ID of the key) to
   confirm the import (unless -y is in effect).
* The key is imported and the pkg sig is verified again.
* If the verify still fails, yum gives up with a useful message.
   Otherwise, GPG verification (and the transaction) continue.

Future work related to this feature:
    - man page needs to be updated to document the new gpgkey option
    - upgrading of keys should be possible by comparing the key
      creation timestamp of installed and remote keys. I've started
      something in this direction (see yum.misc.keyInstalled()) but I'm
      not sure how important this really is
    - I'd like to see if adding HKP support directly to yum is possible
      and I may prototype this. This would negate the need for a
      gpgkey option and is much easier for the novice user to handle.
      Overall a much cleaner solution.

I've tested the this patch here with many different repos and packages 
and it works well for me. Further testing by others would be greatly 


Scanned by the NetBox from NetBox Blue

-------------- next part --------------
A non-text attachment was scrubbed...
Name: yum-gpgkey.patch
Type: text/x-patch
Size: 13383 bytes
Desc: not available
Url : http://lists.baseurl.org/pipermail/yum-devel/attachments/20041230/88b0f419/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgpmsg.py
Type: application/x-python
Size: 44963 bytes
Desc: not available
Url : http://lists.baseurl.org/pipermail/yum-devel/attachments/20041230/88b0f419/attachment-0001.bin 

More information about the Yum-devel mailing list