15

I have a custom RPM repo in Artifactory, and GPG signing keys were recently enabled.

When I ran sudo yum check-updates I was prompted to add the key:

Retrieving key from https://artifactory.example.com/myrepo/repodata/repomd.xml.key
Importing GPG key 0x12345678:
 Userid     : "John Doe <[email protected]>"
 Fingerprint: 1234 5678 90ab cdef 1234 5678 90ab cdef 1234 5678
 From       : https://artifactory.example.com/myrepo/repodata/repomd.xml.key

I added the key, which was successful. However, I would now like to remove the key. I need to add the key programmatically (e.g. via Ansible) to numerous servers, and so I would like to reproduce the same behavior as before (where I am prompted to add the key) so that I can confirm that adding the key programmatically changes this behavior.

I have tried using yum-config-manager to unset the gpgkey, but the behavior remains the same (yum does not prompt me to accept the key):

sudo yum-config-manager --setopt=artifactory.gpgkey='' --save

I've additionally deleted the yum cache (sudo yum clean all and sudo rm -rf /var/cache/yum).

How can I remove this key from the yum repo configuration?

Version info:

$ yum --version
3.4.3

2 Answers 2

11

Using rpm you can list keys and remove them.

[root@apps2 ~]# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
gpg-pubkey-f4a80eb5-53a7ff4b    gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>)
gpg-pubkey-352c64e5-52ae6884    gpg(Fedora EPEL (7) <[email protected]>)
[root@apps2 ~]# rpm -e gpg-pubkey-352c64e5-52ae6884
[root@apps2 ~]# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
gpg-pubkey-f4a80eb5-53a7ff4b    gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>)
[root@apps2 ~]#
2
  • I deleted the key using rpm (sudo rpm -e --allmatches gpg-pubkey-12345678-abcdefab) but yum is still not prompting me to add the key.
    – cherdt
    Commented Mar 1, 2018 at 16:02
  • 4
    rpm is not yum; they keep separate keyrings.
    – Eric Dand
    Commented Mar 3, 2021 at 23:54
5

Yum has a GPG keyring for repos that support GPG metadata signing. On my system, the relevant paths for this particular repo were:

  • /var/lib/yum/repos/x86_64/7/artifactory/gpgdir
  • /var/lib/yum/repos/x86_64/7/artifactory/gpgdir-ro

I was able to delete the GPG keys from those keyrings:

sudo gpg --homedir /var/lib/yum/repos/x86_64/7/artifactory/gpgdir --delete-key 12345678
sudo gpg --homedir /var/lib/yum/repos/x86_64/7/artifactory/gpgdir-ro --delete-key 12345678

Running sudo yum check-update at this point still did not prompt me to accept the key. I ran sudo yum clean metadata, and after that sudo yum check-update did re-prompt me to accept the GPG key.

I found PackageCloud's page on YUM GPG keys helpful in arriving at this solution.

1
  • 3
    With RHEL/CentOS 8 and repos managed by DNF, the keys are now stored in /var/cache/dnf/*/pubring.
    – F30
    Commented Jul 23, 2021 at 11:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .