GPG signatures for Yum Proxy/Group
Signing data with a GPG key enables the recipient of the data to verify that no modifications occurred after the data was signed (assuming the recipient has a copy of the sender’s public GPG key).
Yum proxy and group repositories generate their own metadata files in the repodata folder, which you can sign with GPG keys as described in the steps below.
Generate a GPG Key Pair
To perform a GPG signature check on the repodata from a repository, you must generate a GPG key pair.
Use the following GPG command for generating a GPG keypair:
gpg --gen-key
CentOS 8 may require you to use the following instead:
gpg --gen-key --pinentry-mode loopback
Below is an example GPG keypair generation session:
$ gpg --gen-key gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: nxrm Name must be at least 5 characters long Real name: nxrmtest Email address: nxrmtest@example.com Comment: You selected this USER-ID: "nxrmtest <nxrmtest@example.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 7A8571ED marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/7A8571ED 2020-11-19 Key fingerprint = 1F01 7823 26E4 F130 0557 63A2 AC96 959F 7A85 71ED uid nxrmtest <nxrmtest@example.com> Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose.
Export ASCII-armored Public/Private Keys
For repositories to send you trusted Yum metadata that can only be signed with the private key and verified with the public, you must share these keys.
--export– Export the key from the keyring to a file-aor--armor– Encodes the output to plain text-oor--output– Saves the output to a specified file instead of displaying it to standard out on the screen
GPG Command for Exporting Public Key
Use the following GPG command for exporting a generated public key in the file:
gpg --armor --output RPM-GPG-KEY-nxrmtest --export <email from the 1st step>
Note
You can distribute this key to your users in many ways. We suggest publishing it using a Nexus Repository Raw hosted repository so that your users can point to one URL should you need to update the key.
GPG Command for Exporting Private Key
Use the following GPG command for exporting a generated private key in the file:
gpg --armor --output RPM-GPG-KEY-nxrmtest.secret --export-secret-key <email from the 1st step>
Note
Never share this key with anyone. You need to pass this key (together with the passphrase to use it) to Nexus Repository to let it sign metadata files.
Create Yum Proxy or Group Repository
Create a Yum proxy repository pointing to a remote repository of your choice (e.g.,
http://mirror.centos.org/)and provide the generated private key and passphrase (if needed).Copy the whole content of the private key from the private key (e.g.,
RPM-GPG-KEY-nxrmtest.secret) and paste it into the Yum Settings - Signing Key section of the Yum Proxy repository.In Yum Settings - Passphrase, write the password used to create the private key or leave it empty if the key was created without it.
Optionally, you can also create a Yum Group repository with another GPG key to merge content of multiple repositories under a single repository. In this case, configure the GPG section for only the group repository and sign it; the group repository will generate its own metadata.
Configure Yum Client to Use Your Yum Proxy or Yum Group Repository
This step needs to be done on each Yum user machine in order to point them to your Nexus Repository and to make them use your GPG key to verify the metadata signature. You can do that in the repository config of your Operating System (for CentOS 7, this would be in/etc/yum.repos.d/) and you can edit each individual file or replace them with a single Nexus Repository Yum Group repository. You can choose to take advantage of signed metadata and enable the check by adding repo_gpgcheck=1 and appending the URL to your public GPG key.
Set
repo_gpgcheck=1in the.repofile. In that case, the public GPG key will be used from thegpgkeyproperty.
Note
In case of verifying both packages and repodata (repo_gpgcheck=1 and gpgcheck=1) by using different GPG keys as stated in Multiple URLs in the gpgkey property.
Set
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-nxrmtestin the.repofile. Alternatively, you can use the following command:
rpm --import RPM-GPG-KEY-nxrmtest
Alternatively, instead of link to file, you can use link to public key on hosted repository (e.g., http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest).
Here's an example Yum .repo file:
/etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo # # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # # [base] name=CentOS-$releasever - Base baseurl=http://host.docker.internal:8081/repository/yum-proxy/centos/$releasever/os/$basearch/ gpgcheck=1 repo_gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7,http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest #released updates [updates] name=CentOS-$releasever - Updates baseurl=http://host.docker.internal:8081/repository/yum-proxy/centos/$releasever/updates/$basearch/ gpgcheck=1 repo_gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7,http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest #additional packages that may be useful [extras] name=CentOS-$releasever - Extras baseurl=http://host.docker.internal:8081/repository/yum-proxy/centos/$releasever/extras/$basearch/ gpgcheck=1 repo_gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7,http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest #additional packages that extend functionality of existing packages [centosplus] name=CentOS-$releasever - Plus baseurl=http://host.docker.internal:8081/repository/yum-proxy/centos/$releasever/centosplus/$basearch/ gpgcheck=1 repo_gpgcheck=1 enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7,http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest
Yum content verifying
You can now securely download and verify all of your Yum proxy and group repositories' content, including valid metadata signatures.
$ yum install nano Loaded plugins: fastestmirror, ovl Determining fastest mirrors BaseOS/7/x86_64/signature | 475 B 00:00:00 BaseOS/7/x86_64/signature | 2.2 kB 00:00:02 !!! extras/7/x86_64/signature | 475 B 00:00:00 Retrieving key from http://host.docker.internal:8081/repository/proxy/RPM-GPG-KEY-CentOS-7 Importing GPG key 0xF4A80EB5: Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>" Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5 From : http://host.docker.internal:8081/repository/proxy/RPM-GPG-KEY-CentOS-7 Is this ok [y/N]: y Retrieving key from http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest extras/7/x86_64/signature | 1.5 kB 00:00:06 !!! (1/3): BaseOS/7/x86_64/group_gz | 153 kB 00:00:00 (2/3): extras/7/x86_64/primary | 98 kB 00:00:00 (3/3): BaseOS/7/x86_64/primary | 2.9 MB 00:00:06 BaseOS 10072/10072 extras 448/448 Resolving Dependencies --> Running transaction check ---> Package nano.x86_64 0:2.3.1-10.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================================================================ Package Arch Version Repository Size ================================================================================================================================================================================================ Installing: nano x86_64 2.3.1-10.el7 BaseOS 440 k Transaction Summary ================================================================================================================================================================================================ Install 1 Package Total download size: 440 k Installed size: 1.6 M Is this ok [y/d/N]: y Downloading packages: nano-2.3.1-10.el7.x86_64.rpm | 440 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : nano-2.3.1-10.el7.x86_64 1/1 Verifying : nano-2.3.1-10.el7.x86_64 1/1 Installed: nano.x86_64 0:2.3.1-10.el7 Complete!