I am new to linux and I typed yum update firefox in the shell.
During the process, it says:
Importing GPG key 0x57BBCCBA "Fedora (12) <[email protected]>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-i386
Is this ok [y/N]: y
Why does firefox need to import the GPG key when updating?
Does this happen often when installing or updating software using yum?
This is Fedora-specific. You have to do this only the first time you use yum to update your system. After that, yum should memorize that this specific key is trusted and not ask anymore.
This key is used to digitally sign the packages you are installing, making them certified by Fedora developers. This means that, as long as this is the right key, you are safe from installing tampered/malicious software in your system. If an individual tried to inject malicious software for your computer to download and install, yum would notice that it is either unsigned or signed by a non-trusted key, and warn you.
Usually, you just answer yes and forget it. But the correct procedure is to first certify that the key was not intercepted and replaced with a malicious key from someone else. Since it came installed with your system (it is in
/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-i386, as the message says) it is reasonable to believe that the key provenance is good, as long as your installation media was also good.To check the key, you should get its fingerprint with GPG and compare it with a trusted source:
The fingerprint should match the one listed in https://fedoraproject.org/keys .