rpm --import: avoiding duplicate GPG public keys

Friday, November 07 2008 @ 05:44 PM GMT

Contributed by: robin

yum uses gpg signatures to verify the integrity of rpm packages installed from yum repos. In order to use them, the GPG public key must first be imported into the rpm db. However, this is a rather "dumb" operation - no checks are made to prevent the same key being imported multiple times. Duplicate (or triplicate, or quadruplicate, etc.) keys do not cause any problems, but are unnecessary clutter in the rpmdb.

Here's how to check if a public key has already been imported into the rpmdb.

When imported into the rpmdb, the GPG public keys are identified by a package named gpg-pubkey-$hexstr1-$hexstr1, where:

$hexstr2 is not necessary for the purposes of this exercise (which is fortunate, since I've not worked out how to generate it from a given public key!)

First, we need to get the hex id of the public key. We do this by using gpg --throw-keyids, which produces output like this:

# gpg --throw-keyids < /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5      
pub  1024D/E8562897 2007-01-06 CentOS-5 Key (CentOS 5 Official Signing Key) <centos-5-key@centos.org>
sub  1024g/1E9EA3B6 2007-01-06 [expires: 2017-01-03]

The following code parses this output and stores the public key ID in the variable $keyid:

keyid=$(echo $(gpg --throw-keyids < $k) | cut --characters=11-18 | tr [A-Z] [a-z])

Having obtained the key ID, it is relatively trivial to check if that key exists in the rpmdb before importing it:

if ! rpm -q gpg-pubkey-$keyid > /dev/null 2>&1 ; then
    echo "Installing GPG public key with ID $keyid from $keyfile..."
    rpm --import $keyfile

Comments (0)