rpm --import: avoiding duplicate GPG public keys
yum uses gpg signatures to verify the integrity of rpm packages installed from yum repos. In order to use them, the GPG public key must first be imported into the rpm db. However, this is a rather "dumb" operation - no checks are made to prevent the same key being imported multiple times. Duplicate (or triplicate, or quadruplicate, etc.) keys do not cause any problems, but are unnecessary clutter in the rpmdb.
Here's how to check if a public key has already been imported into the rpmdb.
When imported into the rpmdb, the GPG public keys are identified by a package named
- $hexstr1 is the key ID
- $hexstr2 is an 8-character hex representation of a timestamp
$hexstr2 is not necessary for the purposes of this exercise (which is fortunate, since I've not worked out how to generate it from a given public key!)
First, we need to get the hex id of the public key. We do this by using gpg --throw-keyids, which produces output like this:
# gpg --throw-keyids < /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
pub 1024D/E8562897 2007-01-06 CentOS-5 Key (CentOS 5 Official Signing Key) <firstname.lastname@example.org>
sub 1024g/1E9EA3B6 2007-01-06 [expires: 2017-01-03]
The following code parses this output and stores the public key ID in the variable
keyid=$(echo $(gpg --throw-keyids < $k) | cut --characters=11-18 | tr [A-Z] [a-z])
Having obtained the key ID, it is relatively trivial to check if that key exists in the rpmdb before importing it:
if ! rpm -q gpg-pubkey-$keyid > /dev/null 2>&1 ; then
echo "Installing GPG public key with ID $keyid from $keyfile..."
rpm --import $keyfile