In this tutorial, we will explore how to manage archive signing keys on CentOS. Archive signing keys are crucial for ensuring the integrity and authenticity of software packages installed on your system. Knowing how to list, import, and remove these keys is an essential skill for maintaining a secure and well-functioning CentOS environment.
In this tutorial you will learn:
- How to list existing archive signing keys on CentOS
- How to import new archive signing keys
- How to remove archive signing keys
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | CentOS 6, 7, 8, 9 or higher |
| Software | gnupg, rpm |
| Other | Internet connection for importing keys |
| Conventions | # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Managing Archive Signing Keys on CentOS
Managing archive signing keys on CentOS involves listing the currently installed keys, importing new ones to validate software packages from different repositories, and removing outdated or unnecessary keys. Below are the detailed steps for each of these tasks.
- Listing Existing Archive Signing Keys: To list all the archive signing keys currently installed on your CentOS system, you can use the following command. This will show you the keys that your system trusts for package installations.
# rpm -qa gpg-pubkey
This command queries the RPM database for all installed GPG public keys, displaying their IDs and installation dates. For example, the output might look like this:
gpg-pubkey-8483c65d-5ccc5b1a
- Importing New Archive Signing Keys: When you add a new repository, you might need to import its signing key to ensure the packages from the repository are trusted. Refer to the table below for all available CentOS signing keys and links. Use the following command to import a new key.
# rpm --import <KEY FILE OR URL> Example: # rpm --import https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official-SHA256
This command imports the specified GPG key into the RPM database, allowing your system to trust packages signed with this key. You can verify the import by listing the keys again:
# rpm -qa gpg-pubkey
After importing the key, you might see:
gpg-pubkey-8483c65d-5ccc5b1a
- Getting Details of Installed Keys: To get detailed information about the installed GPG keys, use the following command:
# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'The output will provide details such as:
gpg-pubkey-8483c65d-5ccc5b1a CentOS (CentOS Official Signing Key) <security@centos.org> public key
- Removing Archive Signing Keys: If you no longer need a particular signing key, you can remove it from your system to avoid trusting outdated or untrusted keys. First, list the keys to find the key ID you want to remove:
# rpm -qa gpg-pubkey
Then, use the key ID to remove the specific key:
# rpm -e gpg-pubkey-8483c65d-5ccc5b1a
This command erases the specified GPG key from the RPM database.
Commands to List, Import, and Remove Archive Signing Keys on CentOS
CentOS Signing Keys Information
The CentOS Project currently uses the following keys. Please note that CentOS Linux releases may have multiple GPG keys assigned, depending on the release and architecture. For CentOS 8, however, a single key will be used across all architectures and future releases. Special Interest Groups (SIGs) will continue to use separate keys as listed below.
| Key Description | Download URL | Key Details |
|---|---|---|
| CentOS Official Signing Key (SHA256) | download key – SHA256 | pub 4096R/8483C65D 2019-05-03 Key fingerprint = 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D |
| CentOS Official Signing Key (SHA1) | download key – SHA1 | |
| CentOS Testing Key | download key | pub 4096R/5BA5FA8D 2019-05-03 Key fingerprint = 793D 9072 6BF0 22DA E868 2C36 762E 6585 5BA5 FA8D |
| CentOS 7 Signing Key | download key | pub 4096R/F4A80EB5 2014-06-23 Key fingerprint = 6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5 |
| CentOS 7 Debug Key | download key | pub 2048R/B6792C39 2014-07-15 Key fingerprint = 759D 690F 6099 2D52 6A35 8CBD D0F2 5A3C B679 2C39 |
| CentOS 7 Testing Key | download key | pub 4096R/8FAE34BD 2014-06-04 Key fingerprint = BA02 A5E6 AFF9 70F7 269D D972 C788 93AC 8FAE 34BD |
| CentOS-6 Signing Key | download key | pub 4096R/C105B9DE 2011-07-03 Key fingerprint = C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE |
| CentOS-6 Debug Key | download key | pub 4096R/D0FF3D16 2011-07-03 Key fingerprint = 69B3 0F26 BA2B 3AA4 C27C E4F5 3B75 CF79 D0FF 3D16 |
| CentOS-6 Testing Key | download key | pub 4096R/EF1D6DB8 2011-07-03 Key fingerprint = 4233 9C29 8BC4 352C A4F9 7504 119C 1A87 EF1D 6DB8 |
| CentOS-6 Security Key | download key | pub 4096R/FE837F6F 2011-07-03 Key fingerprint = 0830 F43C 928A A5A8 A6F1 AF97 0B13 2C3F FE83 7F6F |
| CentOS-5 Signing Key | download key | pub 1024D/E8562897 2007-01-06 Key fingerprint = 473D 66D5 2122 71FD 51CC 17B1 A8A4 47DC E856 2897 sub 1024g/1E9EA3B6 2007-01-06 [expires: 2017-01-03] |
| CentOS-5 Beta Key | download key | pub 1024D/092D7B2B 2007-01-06 Key fingerprint = 5D82 2DFA 48B3 BE04 586C BD4D CFDA 6881 092D 7B2B sub 1024g/DA743639 2007-01-06 [expires: 2017-01-03] |
| Extras (meta repo for all SIGs) | download key | pub 2048R/1D997668 2021-12-16 Key fingerprint = 363F C097 2F64 B699 AED3 968E 1FF6 A217 1D99 7668 sub 2048R/FCA5D0FF 2021-12-16 |
| AltImages SIG | download key | pub 2048R/B094B96D 2023-06-02 Key fingerprint = 2C77 CFEB 1F99 C559 E52B 3CDC 8DEF 9614 B094 B96D |
| Atomic SIG | download key | pub 2048R/91BA8335 2015-06-10 Key fingerprint = 64E3 E755 8572 B59A 3194 52AA F17E 7456 91BA 8335 |
| Automotive SIG | download key | pub 2048R/68E964CA 2021-07-27 Key fingerprint = D8AC ED2D C7CE 8029 FEC7 7C08 4B41 1A90 68E9 64CA |
| Cloud SIG | download key | pub 2048R/764429E6 2015-05-15 Key fingerprint = 736A F511 6D9C 40E2 AF6B 074B F9B9 FEE7 7644 29E6 |
| ConfigManagement SIG | download key | pub 2048R/6E8B7E8A 2018-03-21 Key fingerprint = C75A FB57 D5C0 F238 CB15 BEC8 1AE1 10FA 6E8B 7E8A |
| Core SIG | download key | pub 2048R/15BACBD2 2021-10-06 Key fingerprint = E904 CACD 9EB8 3D8B 13BA B052 827F 178E 15BA CBD2 |
| HyperScale SIG | download key | pub 2048R/EB3DAC40 2021-01-18 Key fingerprint = 9B04 530E 0ED6 ABC4 B2C3 58DD 2A01 FA2A EB3D AC40 |
| Infra SIG | download key | pub 2048R/F56D1621 2020-08-13 Key fingerprint = 2F3B 7058 BCFA C3AB 0C72 B1BC 8B44 4FCE F56D 1621 |
| ISA SIG | download key | pub 2048R/DE702AB7 2023-05-26 Key fingerprint = D689 5EFF D4B1 2FC3 8569 C5A9 C114 980C DE70 2AB7 |
| Kmods SIG | download key | pub 2048R/7AE06D54 2021-06-22 Key fingerprint = 48EF 712E C5DD B68B 5280 BE45 5B8E 1A76 7AE0 6D54 |
| Messaging SIG | download key | pub 2048R/E16E0D12 2019-12-01 Key fingerprint = A926 5AE9 1718 68B8 2F91 5550 8301 4EBB E16E 0D12 sub 2048R/85F5BB32 2019-12-01 |
| NFV SIG | download key | pub 2048R/9D2A76A7 2018-02-20 Key fingerprint = 3515 4228 1749 01BE FA8E 69A6 2146 5E28 9D2A 76A7 |
| OpsTools SIG | download key | pub 2048R/51BC2A13 2017-02-20 Key fingerprint = 7872 8176 9AD7 3878 85EE A649 4FD9 5327 51BC 2A13 |
| PaaS SIG | download key | pub 2048R/2F297ECC 2016-05-18 Key fingerprint = C5E8 AB44 6FA7 893D 7490 51F1 C34C 5BD4 2F29 7ECC |
| Software Collections SIG | download key | pub 2048R/F2EE9D55 2015-10-01 Key fingerprint = C4DB D535 B1FB BA14 F8BA 64A8 4EB8 4E71 F2EE 9D55 |
| Storage SIG | download key | pub 2048R/E451E5B5 2015-01-23 Key fingerprint = 7412 9C0B 173B 071A 3775 951A D4A2 E50B E451 E5B5 |
| Virtualization SIG | download key | pub 2048R/61E8806C 2015-06-17 Key fingerprint = A7C8 E761 309D 2F1C 92C5 0B62 7AEB BE82 61E8 806C |
| AArch64 Key | download key | pub 2048R/305D49D6 2015-07-28 Key fingerprint = EF8F 3CA6 6EFD F32B 36CD ADF7 6C7C B6EF 305D 49D6 |
| Arm32 Key | download key | pub 2048R/62505FE6 2015-11-27 Key fingerprint = 4D9E 39F1 499C A21D D289 77F8 CAFE F11B 6250 5FE6 |
| PowerPC Key | download key | pub 2048R/F533F4FA 2015-11-27 Key fingerprint = BAFA 3436 FC50 768E 3C3C 2E4E A963 BBDB F533 F4FA |
Conclusion
Managing archive signing keys on CentOS is a vital aspect of system administration that ensures the integrity and security of your software packages. By following the steps outlined in this tutorial, you can effectively list, import, and remove GPG keys, maintaining a trusted environment for your CentOS system. Proper management of these keys helps prevent security issues and ensures that you are always installing verified and trustworthy software.