11

Where does CentOS/RHEL 6 store custom GPG keys? I thought /etc/pki/rpm-gpg but I installed nginx's key but unable to find it. I see it was imported properly but where is it?

wget http://nginx.org/keys/nginx_signing.key
rpm --import nginx_signing.key

[root@web1-ftl rpm-gpg]# rpm -qi gpg-pubkey-7bd9bf62-4e4e3262
Name        : gpg-pubkey                   Relocations: (not relocatable)
Version     : 7bd9bf62                          Vendor: (none)
Release     : 4e4e3262                      Build Date: Wed 05 Feb 2014 03:26:35 AM UTC
Install Date: Wed 05 Feb 2014 03:26:35 AM UTC      Build Host: localhost
Group       : Public Keys                   Source RPM: (none)
Size        : 0                                License: pubkey
Signature   : (none)
Summary     : gpg(nginx signing key <signing-key@nginx.com>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.8.0 (NSS-3)


mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH
W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I
QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE
fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt
97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5
XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg
a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoBQJOTjJiAhsDBQkJ
ZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCr9b2Ce9m/YpvjB/98uV4t
94d0oEh5XlqEZzVMrcTgPQ3BZt05N5xVuYaglv7OQtdlErMXmRWaFZEqDaMHdniC
sF63jWMd29vC4xpzIfmsLK3ce9oYo4t9o4WWqBUdf0Ff1LMz1dfLG2HDtKPfYg3C
8NESud09zuP5NohaE8Qzj/4p6rWDiRpuZ++4fnL3Dt3N6jXILwr/TM/Ma7jvaXGP
DO3kzm4dNKp5b5bn2nT2QWLPnEKxvOg5Zoej8l9+KFsUnXoWoYCkMQ2QTpZQFNwF
xwJGoAz8K3PwVPUrIL6b1lsiNovDgcgP0eDgzvwLynWKBPkRRjtgmWLoeaS9FAZV
ccXJMmANXJFuCf26iQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S
YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx
JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/
Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk
RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J
SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf
Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6
cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f
YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y
Va3l3WuB+rgKjsQ=
=A015
-----END PGP PUBLIC KEY BLOCK-----
Dave M
  • 4,494
user1973314
  • 141
  • 2
  • 3
  • 8

1 Answers1

10

They are stored in the RPM database, which is in /var/lib/rpm. From the manpage

Digital signatures cannot be verified without a public key.  An ASCII 
armored public  key  can  be added  to  the rpm database using --import. An 
imported public key is carried in a header, and keyring management is 
performed exactly like package management. For example, all currently  
imported public keys can be displayed by:

rpm -qa gpg-pubkey*


Details about a specific public key, when imported, can be displayed by 
querying.  Here’s information about the Red Hat GPG/DSA key:


rpm -qi gpg-pubkey-db42a60e


Finally, public keys can be erased after importing just like packages. 
Here’s how  to  remove  the Red Hat GPG/DSA key


rpm -e gpg-pubkey-db42a60e

/etc/pki/rpm-gpg is the standard place for packages with repository configuration (like epel-release) to put keys they want to be imported. The yum configuration in the package will have the path to the key in the gpgkey directive. The first time you try to install a package from a repository yum prompts you to import the key.

Community
  • 1
sciurus
  • 12,958
  • 3
  • 33
  • 51