[CentOS] automatic import of rpm keys

Tue Jun 25 01:32:14 UTC 2013
Rob Kampen <rkampen at kampensonline.com>

On 06/25/2013 10:38 AM, Markus Falb wrote:
> On 14.Jun.2013, at 13:20, James Hogarth wrote:
>
>> I think I am getting a little confused about these trust things.
>>> How am *I* supposed to verify the validity of those public keys.
>>>
>>
>> If you really want to be sure what you should do is compare them from your
>> system to a trusted source such as the CentOS website, CentOS main
>> repositories, CentOS IRC channel or here ;)
> So I hardcode the keys in my %post and compare them to what was installed, instead of blindly importing them
>
> …snip
> # import the pgp key
> cmp /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 - <<GUGU
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> shiny KEY GOES HERE
> -----END PGP PUBLIC KEY BLOCK-----
> GUGU
>
> if [ $? == 0 ]; then
>     rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
> fi
> snap...
>
> still not quite sure what to do if the key does not match in the previous comparison.
> however, here are the keys I know of and if someone keys does not match she might raise her hands.
>
> (what is the RPM-GPG-KEY-CentOS-Security-6 key for?)
>
> # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
> pub  4096R/C105B9DE 2011-07-03 CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key at centos.org>
>        Key fingerprint = C1DA C52D 1664 E8A4 386D  BA43 0946 FCA2 C105 B9DE
>
> # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Debug-6
> pub  4096R/D0FF3D16 2011-07-03 CentOS-6 Debuginfo Key (CentOS-6 Debuginfo Signing Key) <centos-6-debug-key at centos.org>
>        Key fingerprint = 69B3 0F26 BA2B 3AA4 C27C  E4F5 3B75 CF79 D0FF 3D16
>
> # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Security-6
> pub  4096R/FE837F6F 2011-07-03 CentOS-6 Security Key (CentOS-6 Official Security Key) <centos-6-security-key at centos.org>
>        Key fingerprint = 0830 F43C 928A A5A8 A6F1  AF97 0B13 2C3F FE83 7F6F
>
> # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Testing-6
> pub  4096R/EF1D6DB8 2011-07-03 CentOS-6 Testing Key (CentOS-6 Test and Beta Signing Key) <centos-6-testing-key at centos.org>
>        Key fingerprint = 4233 9C29 8BC4 352C A4F9  7504 119C 1A87 EF1D 6DB8
These match the ones I have used for the last 18 months.