Skip to main content

GPG signatures for Yum Proxy/Group

Signing data with a GPG key enables the recipient of the data to verify that no modifications occurred after the data was signed (assuming the recipient has a copy of the sender’s public GPG key).

Yum proxy and group repositories generate their own metadata files in the repodata folder, which you can sign with GPG keys as described in the steps below.

Generate a GPG Key Pair

To perform a GPG signature check on the repodata from a repository, you must generate a GPG key pair.

Use the following GPG command for generating a GPG keypair:

gpg --gen-key

CentOS 8 may require you to use the following instead:

gpg --gen-key --pinentry-mode loopback

Below is an example GPG keypair generation session:

$ gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
 (1) RSA and RSA (default)
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
 0 = key does not expire
 <n> = key expires in n days
 <n>w = key expires in n weeks
 <n>m = key expires in n months
 <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: nxrm
Name must be at least 5 characters long
Real name: nxrmtest
Email address:
You selected this USER-ID:
 "nxrmtest <>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 7A8571ED marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/7A8571ED 2020-11-19
 Key fingerprint = 1F01 7823 26E4 F130 0557 63A2 AC96 959F 7A85 71ED
uid nxrmtest <>
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.

Export ASCII-armored Public/Private Keys

For repositories to send you trusted Yum metadata that can only be signed with the private key and verified with the public, you must share these keys.

  • --export– Export the key from the keyring to a file

  • -a or --armor– Encodes the output to plain text

  • -o or --output– Saves the output to a specified file instead of displaying it to standard out on the screen

GPG Command for Exporting Public Key

Use the following GPG command for exporting a generated public key in the file:

gpg --armor --output RPM-GPG-KEY-nxrmtest --export <email from the 1st step>


You can distribute this key to your users in many ways. We suggest publishing it using a Nexus Repository Raw hosted repository so that your users can point to one URL should you need to update the key.

GPG Command for Exporting Private Key

Use the following GPG command for exporting a generated private key in the file:

gpg --armor --output RPM-GPG-KEY-nxrmtest.secret --export-secret-key <email from the 1st step>


Never share this key with anyone. You need to pass this key (together with the passphrase to use it) to Nexus Repository to let it sign metadata files.

Create Yum Proxy or Group Repository

  • Create a Yum proxy repository pointing to a remote repository of your choice (e.g., and provide the generated private key and passphrase (if needed).

  • Copy the whole content of the private key from the private key (e.g., RPM-GPG-KEY-nxrmtest.secret) and paste it into the Yum Settings - Signing Key section of the Yum Proxy repository.

  • In Yum Settings - Passphrase, write the password used to create the private key or leave it empty if the key was created without it.

Optionally, you can also create a Yum Group repository with another GPG key to merge content of multiple repositories under a single repository. In this case, configure the GPG section for only the group repository and sign it; the group repository will generate its own metadata.

Configure Yum Client to Use Your Yum Proxy or Yum Group Repository

This step needs to be done on each Yum user machine in order to point them to your Nexus Repository and to make them use your GPG key to verify the metadata signature. You can do that in the repository config of your Operating System (for CentOS 7, this would be in/etc/yum.repos.d/) and you can edit each individual file or replace them with a single Nexus Repository Yum Group repository. You can choose to take advantage of signed metadata and enable the check by adding repo_gpgcheck=1 and appending the URL to your public GPG key.

  • Set repo_gpgcheck=1 in the .repo file. In that case, the public GPG key will be used from the gpgkey property.


In case of verifying both packages and repodata (repo_gpgcheck=1 and gpgcheck=1) by using different GPG keys as stated in Multiple URLs in the gpgkey property.

  • Set gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-nxrmtest in the .repo file. Alternatively, you can use the following command:

rpm --import RPM-GPG-KEY-nxrmtest

Alternatively, instead of link to file, you can use link to public key on hosted repository (e.g., http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest).

Here's an example Yum .repo file:


# CentOS-Base.repo
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
name=CentOS-$releasever - Base
#released updates
name=CentOS-$releasever - Updates
#additional packages that may be useful
name=CentOS-$releasever - Extras
#additional packages that extend functionality of existing packages
name=CentOS-$releasever - Plus

Yum content verifying

You can now securely download and verify all of your Yum proxy and group repositories' content, including valid metadata signatures.

$ yum install nano
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
BaseOS/7/x86_64/signature                                                                                                                                                |  475 B  00:00:00     
BaseOS/7/x86_64/signature                                                                                                                                                | 2.2 kB  00:00:02 !!! 
extras/7/x86_64/signature                                                                                                                                                |  475 B  00:00:00     
Retrieving key from http://host.docker.internal:8081/repository/proxy/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
 Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <>"
 Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
 From       : http://host.docker.internal:8081/repository/proxy/RPM-GPG-KEY-CentOS-7
Is this ok [y/N]: y
Retrieving key from http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest
extras/7/x86_64/signature                                                                                                                                                | 1.5 kB  00:00:06 !!! 
(1/3): BaseOS/7/x86_64/group_gz                                                                                                                                          | 153 kB  00:00:00     
(2/3): extras/7/x86_64/primary                                                                                                                                           |  98 kB  00:00:00     
(3/3): BaseOS/7/x86_64/primary                                                                                                                                           | 2.9 MB  00:00:06     
BaseOS                                                                                                                                                                              10072/10072
extras                                                                                                                                                                                  448/448
Resolving Dependencies
--> Running transaction check
---> Package nano.x86_64 0:2.3.1-10.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package                                    Arch                                         Version                                             Repository                                    Size
 nano                                       x86_64                                       2.3.1-10.el7                                        BaseOS                                       440 k

Transaction Summary
Install  1 Package

Total download size: 440 k
Installed size: 1.6 M
Is this ok [y/d/N]: y
Downloading packages:
nano-2.3.1-10.el7.x86_64.rpm                                                                                                                                             | 440 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : nano-2.3.1-10.el7.x86_64                                                                                                                                                     1/1 
  Verifying  : nano-2.3.1-10.el7.x86_64                                                                                                                                                     1/1 

  nano.x86_64 0:2.3.1-10.el7