On a RHEL 7.4 system, I add the salt-latest repo as follows:
yum -y install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
Notice, amongst other things, this creates the following two GPG key files:
/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt
/etc/pki/rpm-gpg/saltstack-signing-key
For later reference, notice the fingerprint of the CentOS key ends with f4a80eb5:
# gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt
pub 4096R/F4A80EB5 2014-06-23 CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>
Key fingerprint = 6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5
Attempt to reposync download:
mkdir /root/foobar
reposync --gpgcheck --plugins --repoid=salt-latest --download_path=/root/foobar --newest-only --downloadcomps --delete --download-metadata
It fails with errors like these:
Removing babel-0.9.6-8.el7.noarch.rpm, due to missing GPG key.
Removing libyaml-0.1.4-11.el7_0.i686.rpm, due to missing GPG key.
Removing libyaml-0.1.4-11.el7_0.x86_64.rpm, due to missing GPG key.
So I manually download all the files that failed (in a for-loop) and check the signatures of their signing keys. They are all the same, so here's just one of them for example:
wget http://repo.saltstack.com/yum/redhat/7/x86_64/latest/base/babel-0.9.6-8.el7.noarch.rpm
rpm -K babel-0.9.6-8.el7.noarch.rpm
babel-0.9.6-8.el7.noarch.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#f4a80eb5)
Notice the key PGP#f4a80eb5
matches the key referenced above, F4A8 0EB5
. So why is it failing the gpg check?
Things I've tried include:
I edited
/etc/yum.repos.d/salt-latest.repo
and changed thegpgkey=
line. I got the same failure with all three of these variations. As far as I can tell, changing thegpgkey=
line has no effect:gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt
I tried running
reposync
without--gpgcheck
. It works, but obviously, it's bad to use it this way.reposync --plugins --repoid=salt-latest --download_path=/root/foobar --newest-only --downloadcomps --delete --download-metadata
I wonder if reposync is refusing to use the key because it's too weak? MD5. But I couldn't think of any way to confirm or deny this.
I wonder if the key actually has an expiration date? But I couldn't find any way to confirm or deny this either.
I stumbled upon the answer! It seems,
rpm
must keep a keystore someplace separate from/etc/pki/rpm-gpg
, and it seems insufficient for thegpgkey=
line to be specified in the repo file.After doing this,
reposync
works, and correctly validates all the signatures of all the files:Also see where does rpm install custom gpg keys?. Keys are stored in the rpm database, and can be queried and removed using the following commands:
Contrary to @sciurus's answer, this information is not in the man page (at least not in RHEL 7.4).