RPM Signing Key Fingerprints

The Importance of Checking Keys

RPM packages are signed using public-key cryptography. A package maintainer uses their private key to sign a package when they create it, and they make the corresponding public key available to the world. When you install a package, RPM uses the public key to verify the integrity of the package. If this process weren’t in place, it would be very easy to tamper with packages to install malware. When you install a package and you haven’t used that package’s public key before, yum/RPM prompts you to accept the public key by showing you the public key’s fingerprint. The fingerprint is a short sequence of bytes used to identify a longer public key. You should check the fingerprint presented by yum against a trusted fingerprint (usually published on the package maintainer’s web site). If you don’t check the fingerprint, you could be importing a public key from a malicious actor, and then yum will happily install whatever malicious payload that actor has inserted into RPM files.

I’ve compiled a list of all the public key fingerprints that I use on a regular basis. However, you really shouldn’t trust my list, either. Whenever yum or rpm ask you to add a new key, follow the links below to the original package creator and verify that the fingerprints match!

Getting the Fingerprint From the Public Key

Some package maintainers don’t display the fingerprint on their web site, but they do make the public key available. You can use gpg to import the public key and show the fingerprint. Here is an example for the Saltstack repo:

$ gpg --fetch-keys https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub
gpg: requesting key from 'https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub'
gpg: key 0E08A149DE57BFBE: public key "SaltStack Packaging Team <packaging@saltstack.com>" imported
gpg: Total number processed: 1
gpg: imported: 1

$ gpg --fingerprint
/path/to/keyring/.gnupg/pubring.kbx
------------------------------------

...

pub   dsa1024 2005-04-21 [SC]
      1EE0 4CCE 88A4 AE4A A29A  5DF5 004E 6F47 00F9 7F56
uid           [ unknown] Remi Collet <RPMS@FamilleCollet.com>
sub   elg1024 2005-04-21 [E]

pub   rsa2048 2014-06-24 [SC]
      754A 1A7A E731 F165 D5E6  D4BD 0E08 A149 DE57 BFBE
uid           [ unknown] SaltStack Packaging Team <packaging@saltstack.com>
sub   rsa2048 2014-06-24 [E]

The latest key imported is at the bottom of the list.

Showing All Cached Package Signing Keys

Once you’ve accepted a public key, Yum caches it. To see a list of all the cached keys:

$ rpm -q bash gpg-pubkey --qf '%{Description}' | gpg --with-fingerprint'

gpg-pubkey f4a80eb5 gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>)
gpg-pubkey 352c64e5 gpg(Fedora EPEL (7) <epel@fedoraproject.org>)

The 8-char string is the last 8 bytes of the fingerprint.

Master RPM Signing Key Fingerprint List

CentOS RPM Package Signing Key Fingerprint

https://www.centos.org/keys/

6341 AB27 53D7 8A78 A7C2  7BB1 24C6 A8A7 F4A8 0EB5

CentOS RPM Software Collections Package Signing Key Fingerprint

C4DB D535 B1FB BA14 F8BA  64A8 4EB8 4E71 F2EE 9D55

EPEL RPM Package Signing Key Fingerprint

https://getfedora.org/keys/

91E9 7D7C 4A5E 96F1 7F3E 888F 6A2F AEA2 352C 64E5

Remi RPM Package Signing Key Fingerprint

http://rpms.remirepo.net/RPM-GPG-KEY-remi

Remi publishes the public key, not the fingerprint. Get Remi’s key fingerprint by importing the key with gpg with the method shown above.

1EE0 4CCE 88A4 AE4A A29A 5DF5 004E 6F47 00F9 7F56

MariaDB RPM Package Signing Key Fingerprint

https://mariadb.com/kb/en/mariadb/yum/

1993 69E5 404B D5FC 7D2F E43B CBCB 082A 1BB9 43DB

Atomic Corp RPM Package Signing Key Fingerprint

Get key from https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt and use the gpg commands show above to get the fingerprints:

Newer key: 1818 66DF 9DAC A40E 5B42  9B08 FFBD 5D0A 4520 AFA9
Older key: 292E B92E F0E0 77E4 19C6  DAFF 32A9 5114 5EBD 2744

SaltStack RPM Package Signing Key Fingerprint

https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub

754A 1A7A E731 F165 D5E6 D4BD 0E08 A149 DE57 BFBE

Icinga RPM Package Signing Key Fingerprint

https://packages.icinga.com/icinga.key

f51a 91a5 ee00 1aa5 d77d 53c4 c6e3 19c3 3441 0682

MongoDB RPM Package Signing Key Fingerprint

https://www.mongodb.org/static/pgp/
MongoDB has a different key for every minor release, so I can’t keep up with all the fingerprints. Use the procedure above to extract the fingerprint from the key.

Google Cloud Packages RPM Package Signing Key Fingerprint

https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

D0BC 747F D8CA F711 7500  D6FA 3746 C208 A731 7B0F

https://packages.cloud.google.com/yum/doc/yum-key.gpg

d0bc 747f d8ca f711 7500 d6fa 3746 c208 a731 7b0f

New Relic APM RPM Package Signing Key Fingerprint

I don’t know the link, but this is the fingerprint of the key that Yum cached:

b60a 3ec9 bc01 3b9c 2379 0ec8 b31b 29e5 548c 16bf

New Relic Infrastructure Package Signing Key Fingerprint

http://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg

a758 b3fb cd43 be8d 123a 3476 bb29 ee03 8ecc e87c