jonuwz/RPM notes

## RPM notes
Notes on RPM signatures.

Background
-----------

Yum is not rpm.
Yum trusts signatures on yum repository metadata.
Rpm trusts signatures on individual rpm packages.

They have separate keyrings.


RPM
----

Common misconception :

By convention, official rpm gpg signing keys are stored in /etc/pki/rpm-gpg
However, this is just where the files are placed before being imported into the rpmdb.
This is not the source of truth for which GPG keys are trusted.

Truths:

Trusted rpm gpg keys are located in the rpmdb
The rpmdb is located at /var/lib/rpm, but cannot be directly modified with filesystem operations.

Importing gpgkeys :

You can trust a GPG key to verify rpm packages with :
# rpm --import <location>

where location is a path on the filesystem, or a url

This action creates an entry in the rpmdb of the form : gpg-pubkey-<release>-<version>
NOTE: this does not put anything in /etc/pki/rpm-gpg

emphasis:

importing a gpg public key creates an entry in the rpm database.
These all have the name package name 'gpg-pubkey', and are not themselves signed.
These packages have 'Group : Public Keys'


Querying the list of trusted GPG keys :

# rpm]# rpm -q gpg-pubkey --qf '%{NAME} %{VERSION} %{RELEASE} %{SUMMARY}\n'

gpg-pubkey 8483c65d 5ccc5b19 gpg(CentOS (CentOS Official Signing Key) <security@centos.org>)
gpg-pubkey 777715e3 61e8bf8d gpg(Gitlab Packages (RPM Signing Key) <gitlab@home.local>)

The actual GPG key can be viewed for a specific gpg-pubkey entry in the description of the rpm
# rpm -qi gpg-pubkey-777715e3-61e8bf8d

or for all trusted gpg keys :
# rpm -qi gpg-pubkey

Removing a gpg key :

This can be performed the same way you would remove a regular rpm

# rpm -e gpg-pubkey-777715e3-61e8bf8d

Checking the sinarure of an rpm on the filesystem :

# rpm -K ./example-1.0-1.x86_64.rpm
./example-1.0-1.x86_64.rpm: digests SIGNATURES NOT OK

has return code 1

rpm -K ./example-1.0-1.x86_64.rpm
./example-1.0-1.x86_64.rpm: digests signatures OK

hast return code 0


Querying which GPG key signed an rpm package :

This is viewable in Signature section of the
# rpm -qp gcc

Or, more directly :

# rpm -q gcc --qf '%{SIGPGP:pgpsig}\n'
RSA/SHA256, Fri 12 Nov 2021 09:14:39 PM UTC, Key ID 05b555b38483c65d

The Key ID is the important part. This is the tail end of the fingerprint of a gpg key.


Assuming you have extracted and imported all the rpm gpg-pubkey keys into your own keyring, you can run :

gpg --list-keys --fingerprint 05b555b38483c65d

to determine the GPG key that signed the rpm.
	Notes on RPM signatures.

	Background
	-----------

	Yum is not rpm.
	Yum trusts signatures on yum repository metadata.
	Rpm trusts signatures on individual rpm packages.

	They have separate keyrings.


	RPM
	----

	Common misconception :

	By convention, official rpm gpg signing keys are stored in /etc/pki/rpm-gpg
	However, this is just where the files are placed before being imported into the rpmdb.
	This is not the source of truth for which GPG keys are trusted.

	Truths:

	Trusted rpm gpg keys are located in the rpmdb
	The rpmdb is located at /var/lib/rpm, but cannot be directly modified with filesystem operations.

	Importing gpgkeys :

	You can trust a GPG key to verify rpm packages with :
	# rpm --import <location>

	where location is a path on the filesystem, or a url

	This action creates an entry in the rpmdb of the form : gpg-pubkey-<release>-<version>
	NOTE: this does not put anything in /etc/pki/rpm-gpg

	emphasis:

	importing a gpg public key creates an entry in the rpm database.
	These all have the name package name 'gpg-pubkey', and are not themselves signed.
	These packages have 'Group : Public Keys'


	Querying the list of trusted GPG keys :

	# rpm]# rpm -q gpg-pubkey --qf '%{NAME} %{VERSION} %{RELEASE} %{SUMMARY}\n'

	gpg-pubkey 8483c65d 5ccc5b19 gpg(CentOS (CentOS Official Signing Key) <security@centos.org>)
	gpg-pubkey 777715e3 61e8bf8d gpg(Gitlab Packages (RPM Signing Key) <gitlab@home.local>)

	The actual GPG key can be viewed for a specific gpg-pubkey entry in the description of the rpm
	# rpm -qi gpg-pubkey-777715e3-61e8bf8d

	or for all trusted gpg keys :
	# rpm -qi gpg-pubkey

	Removing a gpg key :

	This can be performed the same way you would remove a regular rpm

	# rpm -e gpg-pubkey-777715e3-61e8bf8d

	Checking the sinarure of an rpm on the filesystem :

	# rpm -K ./example-1.0-1.x86_64.rpm
	./example-1.0-1.x86_64.rpm: digests SIGNATURES NOT OK

	has return code 1

	rpm -K ./example-1.0-1.x86_64.rpm
	./example-1.0-1.x86_64.rpm: digests signatures OK

	hast return code 0


	Querying which GPG key signed an rpm package :

	This is viewable in Signature section of the
	# rpm -qp gcc

	Or, more directly :

	# rpm -q gcc --qf '%{SIGPGP:pgpsig}\n'
	RSA/SHA256, Fri 12 Nov 2021 09:14:39 PM UTC, Key ID 05b555b38483c65d

	The Key ID is the important part. This is the tail end of the fingerprint of a gpg key.


	Assuming you have extracted and imported all the rpm gpg-pubkey keys into your own keyring, you can run :

	gpg --list-keys --fingerprint 05b555b38483c65d

	to determine the GPG key that signed the rpm.