I just installed a server to test Red Hat Enterprise Linux, and of course I want to pull the latest updates from the network, since the DVD I have is obviously out of date. So I run yum (this is RHEL5), and after the updates are downloaded but before they get installed I get the following error:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 37017186 Public key for gnutls-devel-1.4.1-3.el5_4.8.x86_64.rpm is not installed
Hmm. Some hunting around on Google and it’s not immediately obvious what the problem is. But here are a couple hints: (1) the first line is a warning, and isn’t where yum dies at. (2) the second line is one of the packages I’m trying to upgrade.
It turns out that the warning really is the key to the problem. A read through “man rpm” indicates that the RPMs I’m trying to install are signed, but the key to validate the signature isn’t present. (I would think of these as similar to x509 CA certificates, but GPG calls them public keys.) So OK, where do I get the key from? It’s already on my server in the /etc/pki/rpm-gpg directory, but the rpm command it hasn’t yet been told that it can use that key. To do that, run the command “rpm –import /etc/pki/rpm/gpg/RPM*” to import all the keys in that directory into the RPM database. Note that the “import” flag has two leading dashes, which is typically for an option with a long name. You probably need only the file “RPM-GPG-KEY-release”, so you can be more selective with the import if you wish. The rest of this article assumes you weren’t selective.
Keep reading “man rpm” in the section titled “Digital signature and digest verification”, and you’ll see that the key you just imported can be managed like an regular RPM. Do a “rpm -qa gpg-pubkey*” and you can see ones like the following:
gpg-pubkey-2fa658e0-45700c69 gpg-pubkey-37017186-45761324 gpg-pubkey-db42a60e-37ea5438 gpg-pubkey-897da07a-3c979a7f gpg-pubkey-42193e6b-4624eff2
And do you see that one of these, “gpg-pubkey-37017186-45761324”, matches the “37017186” back in the first warning at the top? Run yum again, and the updated RPMs get installed. Success!
Want to verify you got the right key installed? Treat it like an RPM.
$ rpm -qi gpg-pubkey-37017186-45761324 Name : gpg-pubkey Relocations: (not relocatable) Version : 37017186 Vendor: (none) Release : 45761324 Build Date: Mon 10 May 2010 01:49:25 PM EDT Install Date: Mon 10 May 2010 01:49:25 PM EDT Build Host: localhost Group : Public Keys Source RPM: (none) Size : 0 License: pubkey Signature : (none) Summary : gpg(Red Hat, Inc. (release key)
Note that the version says “37017186” (per the first warning above) and the summary says it is the release key (which comes from the filename /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release).
Want to clean up the other keys you probably don’t need? With names like “auxilary”, “beta”, and “former”, you probably don’t need them. Just keep the release key. So again, treat them like an RPM item:
# rpm -e gpg-pubkey-2fa658e0-45700c69 # rpm -e gpg-pubkey-db42a60e-37ea5438 # rpm -e gpg-pubkey-897da07a-3c979a7f # rpm -e gpg-pubkey-42193e6b-4624eff2 # rpm -qa gpg-pubkey* gpg-pubkey-37017186-45761324
Now you can cleanly accept signed release updates.