The Importance of Checking Keys
RPM packages are signed using public-key cryptography. A package maintainer uses their private key to sign a package when they create it, and they make the corresponding public key available to the world. When you install a package with Yum or RPM, RPM uses the public key to verify the integrity of the package. If this process weren’t in place, it would be very easy to tamper with packages to install malware. When you install a package and you haven’t used that package’s public key before, yum or RPM prompts you to accept the public key by showing you the public key’s fingerprint. The fingerprint is a short sequence of bytes used to identify a longer public key. You should check the fingerprint presented by rpm or yum against a trusted fingerprint (usually published on the package maintainer’s web site). If you don’t check the fingerprint, you could be importing a public key from a malicious actor, and then yum will happily install whatever malicious payload that actor has inserted into RPM files.
I’ve compiled a list of all the public key fingerprints that I use on a regular basis. However, you really shouldn’t trust my list, either. Whenever yum or rpm ask you to add a new key, follow the links below to the original package creator and verify that the fingerprints match!
Getting the Fingerprint From the Public Key
Some package maintainers don’t display the fingerprint on their web site, but they do make the public key available. You can use gpg to import the public key and show the fingerprint. Here is an example for the Saltstack repo:
$ gpg --fetch-keys https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub gpg: requesting key from 'https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub' gpg: key 0E08A149DE57BFBE: public key "SaltStack Packaging Team <packaging@saltstack.com>" imported gpg: Total number processed: 1 gpg: imported: 1 <br />$ gpg --import key-text-file<br /> $ gpg --fingerprint /path/to/keyring/.gnupg/pubring.kbx ------------------------------------ ... pub dsa1024 2005-04-21 [SC] 1EE0 4CCE 88A4 AE4A A29A 5DF5 004E 6F47 00F9 7F56 uid [ unknown] Remi Collet <RPMS@FamilleCollet.com> sub elg1024 2005-04-21 [E] pub rsa2048 2014-06-24 [SC] 754A 1A7A E731 F165 D5E6 D4BD 0E08 A149 DE57 BFBE uid [ unknown] SaltStack Packaging Team <packaging@saltstack.com> sub rsa2048 2014-06-24 [E]
The latest key imported is at the bottom of the list.
Showing All Cached Package Signing Keys
Once you’ve accepted a public key, Yum caches it. To see a list of all the cached keys:
$ rpm -q bash gpg-pubkey --qf '%{Description}' | gpg --with-fingerprint gpg-pubkey f4a80eb5 gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>) gpg-pubkey 352c64e5 gpg(Fedora EPEL (7) <epel@fedoraproject.org>)
The 8-char string is the last 8 bytes of the fingerprint.
References
- https://www.redhat.com/sysadmin/rpm-gpg-verify-packages
Master RPM Signing Key Fingerprint List
CentOS RPM Package Signing Key Fingerprint
6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5
CentOS RPM Software Collections Package Signing Key Fingerprint
Google Compute Engine
Rapture Automatic Signing Key
cloud-rapture-signing-key-2021-03-01-08_01_09.pub
https://packages.cloud.google.com/yum/doc/yum-key.gpg
7F92 E05B 3109 3BEF 5A3C 2D38 FEEA 9169 307E A071
gLinux Rapture Automatic Signing Key
59FE 0256 8272 69DC 8157 8F92 8B57 C5C2 836F 4BEB
EPEL RPM Package Signing Key Fingerprint
91E9 7D7C 4A5E 96F1 7F3E 888F 6A2F AEA2 352C 64E5
Remi RPM Package Signing Key Fingerprint
http://rpms.remirepo.net/RPM-GPG-KEY-remi
Remi publishes the public key, not the fingerprint. Get Remi’s key fingerprint by importing the key with gpg with the method shown above.
1EE0 4CCE 88A4 AE4A A29A 5DF5 004E 6F47 00F9 7F56
MariaDB RPM Package Signing Key Fingerprint
https://mariadb.com/kb/en/mariadb/yum/
1993 69E5 404B D5FC 7D2F E43B CBCB 082A 1BB9 43DB
Atomic Corp RPM Package Signing Key Fingerprint
Get key from https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt and use the gpg commands show above to get the fingerprints:
Newer key: 1818 66DF 9DAC A40E 5B42 9B08 FFBD 5D0A 4520 AFA9
Older key: 292E B92E F0E0 77E4 19C6 DAFF 32A9 5114 5EBD 2744
Salt Stack RPM Package Signing Key Fingerprint
https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub
754A 1A7A E731 F165 D5E6 D4BD 0E08 A149 DE57 BFBE
Icinga RPM Package Signing Key Fingerprint
https://packages.icinga.com/icinga.key
f51a 91a5 ee00 1aa5 d77d 53c4 c6e3 19c3 3441 0682
MongoDB RPM Package Signing Key Fingerprint
https://www.mongodb.org/static/pgp/
MongoDB has a different key for every minor release, so I can’t keep up with all the fingerprints. Use the procedure above to extract the fingerprint from the key.
Google Cloud Packages RPM Package Signing Key Fingerprint
https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
D0BC 747F D8CA F711 7500 D6FA 3746 C208 A731 7B0F
https://packages.cloud.google.com/yum/doc/yum-key.gpg
d0bc 747f d8ca f711 7500 d6fa 3746 c208 a731 7b0f
New Relic APM RPM Package Signing Key Fingerprint
I don’t know the link, but this is the fingerprint of the key that Yum cached:
b60a 3ec9 bc01 3b9c 2379 0ec8 b31b 29e5 548c 16bf
New Relic Infrastructure Package Signing Key Fingerprint
http://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg
a758 b3fb cd43 be8d 123a 3476 bb29 ee03 8ecc e87c
Percona MySQL
https://www.percona.com/downloads/RPM-GPG-KEY-percona
Older Percona packages user the key corresponding to the first fingerprint; newer ones use the second fingerprint, so you should import both.
430B DF5C 56E7 C94E 848E E60C 1C4C BDCD CD2E FD2A
4D1B B29D 63D9 8E42 2B21 13B1 9334 A25F 8507 EFA5
MySQL Community
Note that the old GPG Build Key for signing MySQL Community releases EXPIRES on 2022-02-16. This is mentioned under “Packaging Notes” in the 8.0.28 release notes, but it also applies to 5.x versions of MySQL. The fingerprint for the new key is:
859b e8d7 c586 f538 430b 19c2 467b 942d 3a79 bd29
OpenSUSE Systems Management Repository
This is a useful repository of RPMs for tools such as Chef, Puppet, Salt, Terraform, etc. It’s also the home of RPMS for terraform-provider-libvirt, the open-source Terraform provider for libvirt.
50E6 0431 5448 5D99 0732 B5D6 ACAA 9CF7 E6E5 A213