I recently had a package signing key expire preventing some automatic updates from installing so am now setting up monitoring to make sure we are alerted if this happens again.
On Debian systems I can use apt-key to show all the repo keys and their expiry dates (if any) but cannot find how to do the equivalent for yum on CentOS
I can get some key info using:
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
But this does not show expiry dates - any idea how to extract this information?
On Red Hat derived systems, the GPG keys are also stored in ASCII armor in the directory
/etc/pki/rpm-gpg-keys. You can inspect any of the keys from there.For example, on CentOS 8:
You can use
-vto see additional details, and you will need to do so on older versions of gpg. This example is from CentOS 7.Neither of these have expiry dates, but a key which has an expiry date or is already expired will show the expiry date.
Here is a key with an expiry date in the future:
And here is a key that already expired:
An optional package
distribution-gpg-keyscontains GPG keys from a variety of different Linux distributions and repositories. When this package is installed, these keys are available in the directory/usr/share/distribution-gpg-keys.