GPG signatures for Yum Proxy/Group

Signing data with a GPG key enables the recipient of the data to verify that no modifications occurred after the data was signed (assuming the recipient has a copy of the sender’s public GPG key).

Yum Proxy and Group repositories generate their own metadata files in the repodata folder, which could be signed with GPG keys.

This page describes the steps needed to set that up.

Generate a GPG keypair

To perform a GPG signature check on the repodata from a repository, it's required to generate a GPG key pair.

Use the following GPG command for generating a GPG keypair: 

gpg --gen-key

In case of an issue on CentOS 8 use:

gpg --gen-key --pinentry-mode loopback


Example GPG keypair generation session:

$ gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
 (1) RSA and RSA (default)
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
 0 = key does not expire
 <n> = key expires in n days
 <n>w = key expires in n weeks
 <n>m = key expires in n months
 <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: nxrm
Name must be at least 5 characters long
Real name: nxrmtest
Email address: nxrmtest@example.com
Comment:
You selected this USER-ID:
 "nxrmtest <nxrmtest@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 7A8571ED marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/7A8571ED 2020-11-19
 Key fingerprint = 1F01 7823 26E4 F130 0557 63A2 AC96 959F 7A85 71ED
uid nxrmtest <nxrmtest@example.com>
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.

Export ASCII-armored public/private keys

For repositories to send you trusted Yum metadata that can only be signed with the private key and verified with the public, it's required to share these keys. Use the --export option to export the key from the keyring to a file. The -a or --armor option encodes the output to plain text. The -o or --output option saves the output to a specified file instead of displaying it to standard out on the screen.

  • Use the following GPG command for exporting a generated public key in the file:
gpg --armor --output RPM-GPG-KEY-nxrmtest --export <email from the 1st step>

You can distribute this key to your users any way you want. We suggest you can publish it using a NXRM Raw Hosted repository, so that your users can point to one URL should you need to update the key.

  • Use the following GPG command for exporting a generated private key in the file:
gpg --armor --output RPM-GPG-KEY-nxrmtest.secret --export-secret-key <email from the 1st step>

Never share this key with anyone. You need to pass this key (together with the passphrase to use it) to NXRM to let it sign metadata files.

Create Yum Proxy or Group repository

  • Create a Yum Proxy repository pointing to a remote repository of your choice, e.g. http://mirror.centos.org/, and provide the generated private key and passphrase (if needed).
  • Copy-paste the whole content of the private key from the private key (e.g. RPM-GPG-KEY-nxrmtest.secret) to the section of the Yum Settings - Signing Key section of the Yum Proxy repository.
  • In Yum Settings - Passphrase write the password which was used to create the private key or leave it empty if the key was created without it.

Optionally, you can also create a Yum Group repository with another GPG key to merge content of multiple repositories under a single NXRM repository. In this case, the GPG section should be configured only for the group repository because it generates its own metadata and sign it.

Configure Yum client to use your Yum Proxy or Yum Group repository

This step needs to be done on each Yum user machine in order to point them to your NXRM repository and to make them use your GPG key to verify the metadata signature. You can do that in the repository config of your Operating System (for CentOS 7 this would be in /etc/yum.repos.d/) and you can edit each individual file or replace them with a single NXRM Yum Group repository. You can choose to take advantage of signed metadata and enable the check by adding repo_gpgcheck=1 and appending the URL to your public GPG key.

  • Set repo_gpgcheck=1 in the .repo file. In that case, the public GPG key will be used from the gpgkey property.

In case of verifying both packages and repodata (repo_gpgcheck=1 and gpgcheck=1) by using different GPG keys as stated in Multiple URLs in the gpgkey property.

  •  Set gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-nxrmtest in the .repo file. Alternatively, you can use the command:
rpm --import RPM-GPG-KEY-nxrmtest

Alternatively, instead of link to file, you can use link to public key on hosted repository, e.g. http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest.

Here's an example Yum .repo file:

# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base
baseurl=http://host.docker.internal:8081/repository/yum-proxy/centos/$releasever/os/$basearch/
gpgcheck=1
repo_gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7,http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest
#released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=http://host.docker.internal:8081/repository/yum-proxy/centos/$releasever/updates/$basearch/
gpgcheck=1
repo_gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7,http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=http://host.docker.internal:8081/repository/yum-proxy/centos/$releasever/extras/$basearch/
gpgcheck=1
repo_gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7,http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
baseurl=http://host.docker.internal:8081/repository/yum-proxy/centos/$releasever/centosplus/$basearch/
gpgcheck=1
repo_gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7,http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest

Yum content verifying

Now you can securely download and verify all content of your Yum proxy and group repositories, including valid metadata signatures.

$ yum install nano
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
BaseOS/7/x86_64/signature                                                                                                                                                |  475 B  00:00:00     
BaseOS/7/x86_64/signature                                                                                                                                                | 2.2 kB  00:00:02 !!! 
extras/7/x86_64/signature                                                                                                                                                |  475 B  00:00:00     
Retrieving key from http://host.docker.internal:8081/repository/proxy/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
 Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
 Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
 From       : http://host.docker.internal:8081/repository/proxy/RPM-GPG-KEY-CentOS-7
Is this ok [y/N]: y
Retrieving key from http://host.docker.internal:8081/repository/keys/RPM-GPGKEY-nxrmtest
extras/7/x86_64/signature                                                                                                                                                | 1.5 kB  00:00:06 !!! 
(1/3): BaseOS/7/x86_64/group_gz                                                                                                                                          | 153 kB  00:00:00     
(2/3): extras/7/x86_64/primary                                                                                                                                           |  98 kB  00:00:00     
(3/3): BaseOS/7/x86_64/primary                                                                                                                                           | 2.9 MB  00:00:06     
BaseOS                                                                                                                                                                              10072/10072
extras                                                                                                                                                                                  448/448
Resolving Dependencies
--> Running transaction check
---> Package nano.x86_64 0:2.3.1-10.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================================
 Package                                    Arch                                         Version                                             Repository                                    Size
================================================================================================================================================================================================
Installing:
 nano                                       x86_64                                       2.3.1-10.el7                                        BaseOS                                       440 k

Transaction Summary
================================================================================================================================================================================================
Install  1 Package

Total download size: 440 k
Installed size: 1.6 M
Is this ok [y/d/N]: y
Downloading packages:
nano-2.3.1-10.el7.x86_64.rpm                                                                                                                                             | 440 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : nano-2.3.1-10.el7.x86_64                                                                                                                                                     1/1 
  Verifying  : nano-2.3.1-10.el7.x86_64                                                                                                                                                     1/1 

Installed:
  nano.x86_64 0:2.3.1-10.el7                                                                                                                                                                    

Complete!