1 (edited by yrousseau 2021-03-16 14:11:17)

Topic: [SOLVED] - Verify repository (remirepo) with GPG

Hi all,

I need to perform a fresh install of remi-release-7.rpm (available on [repo]https://rpms.remirepo.net) on a new virtual machine but the admin sys requires the file to be checked before installation.
Problem : I am not very comfortable with GPG.

I retrieved the public key provided ([repo]/RPM-GPG-KEY-remi) and save it in a remi.gpg file.

I imported it with the following command :
gpg --import remi.gpg

If I check the fingerprint (gpg --with-fingerprint remi.gpg) the fingerprint matches with that provided in [repo]/KEYS.txt

I downloaded the .rpm file and now I would like to verify it.
What are the correct steps ?
The manual says the first parameter of --verify option must be a sig file, but no sig file is provided in the website (remirepo). Or what am I not understanding ?

Thanks in advance for your help.

Best regards,

Re: [SOLVED] - Verify repository (remirepo) with GPG

You can check the signature using

$ rpm --checksig remi-release-7.rpm
remi-release-7.rpm: digests signatures OK

Everything needed is in the rpm archive

Desktop: Fedora 33 + rpmfusion + remi-test + remi-dev
Laptop:  Fedora 32 + rpmfusion + remi (SCL only)
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: [SOLVED] - Verify repository (remirepo) with GPG

Thanks for your quick answer.

Here the result :
rpm --checksig remi-release-7.rpm
remi-release-7.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#00f97f56)

If I list my keys :

gpg --list-keys
=----------------------------------------------
pub   1024D/00F97F56 2005-04-21
uid                  Remi Collet <RPMS@FamilleCollet.com>
sub   1024g/697B675E 2005-04-21

What am I doing wrong ?

I suppose I must do a
rpm --import [...]
and not a
gpg --import [...]

to add the key at the RPM level ?

Thanks

Re: [SOLVED] - Verify repository (remirepo) with GPG

You need to import the key in the RPM database

# rpm --import /path/to/key

Desktop: Fedora 33 + rpmfusion + remi-test + remi-dev
Laptop:  Fedora 32 + rpmfusion + remi (SCL only)
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: [SOLVED] - Verify repository (remirepo) with GPG

As explained in https://blog.remirepo.net/pages/Config-en

See 4. Remi's signature Installation (GPG Key)

Desktop: Fedora 33 + rpmfusion + remi-test + remi-dev
Laptop:  Fedora 32 + rpmfusion + remi (SCL only)
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: [SOLVED] - Verify repository (remirepo) with GPG

Ok perfect, thanks for your feedback.
As soon as I obtain my sudoer/root privileges from the admin sys I try this.

Big thanks for your support and your job.

Re: [SOLVED] - Verify repository (remirepo) with GPG

It's perfect, it is working now.

Big thanks for your support.

Kind regards,

Re: [SOLVED] - Verify repository (remirepo) with GPG

smile

Desktop: Fedora 33 + rpmfusion + remi-test + remi-dev
Laptop:  Fedora 32 + rpmfusion + remi (SCL only)
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi