Managing GPG keys in RPM?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


I'm building a new repo, and concerned about security of GPG keys.
I've found out that when Yum (or RPM) imports a key, the key info about expiring date and key status is ignored.
For instance, I could import a revoked key, or an expired key - no warnings will be displayed. Packages that were signed with these keys could be validated without errors. Is it a bug, or a feature? 
Q1: How can I remove/revoke a GPG public key from user's rpmdb, without user interaction? I've tried to make a package that Obsoletes package gpg-pubkey-x-y (which is imported public key), but to no avail.
In Apt, i can easily manage repo's keys by using separate keyrings, loaded in /etc/apt/trusted.gpg.d/*.gpg  by adding, replacing or removing keyring files.
I've found out that similar folder should be present in RPM as well (available in macro _keyringpath) - folder  %{_dbpath}/pubkeys/, which is %{_var}/lib/rpm/pubkeys/
However, this folder is not present in CentOS 6 or 7. There's only a file called Pubkeys.
Q2: Does this folder allow me to manage GPG keys like simple files, as Apt does? Should I create this folder manually on my client's PCs? I'm very uncomfortable about creating structures inside packet manager's directory.
Thanks in advance.
Rpm-list mailing list

[Index of Archives]     [RPM Ecosystem]     [Linux Kernel]     [Red Hat Install]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Red Hat]     [Gimp]     [Yosemite News]     [IETF Discussion]

  Powered by Linux