Installing a Package Signing Key

From Notes

Jump to: navigation, search

As a system administrator of numerous Linux servers, a standard policy is to not allow any external package updates to ensure that all packages have been tested. To facilitate this policy, it is necessary to create local repositories that mirror external repositories and only use the local repositories to install packages on local systems.

  • cobbler is a tool that makes local repository mirroring and system provisioning very simple
  • cfengine is a configuration management tool which makes configuring scores of machines at once trivial

Installing the Key

I recently created a local mirror of the EPEL repository and ran into an error when trying to install awstats indicating that I did not have the package signing key installed: 

# yum install awstats
...<snip>...
Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size 
=============================================================================
Installing:
 awstats                 noarch     6.7-3.el5        hv-epel           1.2 M
Installing for dependencies:
 perl-Compress-Zlib      x86_64     1.42-1.fc6       hv-base            52 k
 perl-HTML-Parser        x86_64     3.55-1.fc6       hv-base            92 k
 perl-HTML-Tagset        noarch     3.10-2.1.1       hv-base            15 k
 perl-libwww-perl        noarch     5.805-1.1.1      hv-base           376 k

Transaction Summary
=============================================================================
Install      5 Package(s)         
Update       0 Package(s)         
Remove       0 Package(s)         

Total download size: 1.7 M
Is this ok [y/N]: y
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 217521f6


Public key for awstats-6.7-3.el5.noarch.rpm is not installed

I needed to download and install the key without installing the package on all of my servers with the following method. 

wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm

Extract the contents of the RPM. 

rpm2cpio epel-release-5-3.noarch.rpm | cpio -idv

Find the key in question. 

# find etc/
etc/
etc/pki
etc/pki/rpm-gpg
etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
etc/yum.repos.d
etc/yum.repos.d/epel.repo
etc/yum.repos.d/epel-testing.repo

Import the key into the RPM keyring. 

# rpm --import etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

I was then able to successfully install awstats from the local copy of the EPEL repository.

Key Distribution

The next problem is distributing that key to all of the hosts under my control.

Identify the key by using a system which has not yet had the key imported. 

# rpm -qa gpg-pubkey*
gpg-pubkey-e8562897-459f07a4
gpg-pubkey-60d204a7-43202030
gpg-pubkey-e42d547b-3960bdf1
gpg-pubkey-6b8d79e6-3f49313d
gpg-pubkey-1aa78495-3eb24301

Next, import the key and check for differences in the list. 

# rpm --import RPM-GPG-KEY-EPEL
# rpm -qa gpg-pubkey*
gpg-pubkey-e8562897-459f07a4
gpg-pubkey-60d204a7-43202030
gpg-pubkey-e42d547b-3960bdf1
gpg-pubkey-217521f6-45e8a532
gpg-pubkey-6b8d79e6-3f49313d
gpg-pubkey-1aa78495-3eb24301

It's evident that the above key is: gpg-pubkey-217521f6-45e8a532. I can use this to validate that the key has been installed and trigger an install action if it has not.

First, make the key available via some standard method to all hosts. I prefer HTTP and will place this file on a web host and will not cover that here.

Next, create a class in cfengine which describes hosts which do have the key installed. 

epel_key_installed = ( '/bin/rpm -q gpg-pubkey-217521f6-45e8a532' )

Then create an action to retrieve and import the key. 

redhat&!epel_key_installed::
  "/usr/bin/curl -C \- -L http\://web-host/misc/RPM-GPG-KEY-EPEL > /tmp/RPM-GPG-KEY-EPEL" inform=true
  "/bin/rpm --import /tmp/RPM-GPG-KEY-EPEL" inform=true
Retrieved from "http://www.itsecureadmin.com/wiki/index.php/Installing_a_Package_Signing_Key"
Personal tools