I just installed a server to test Red Hat Enterprise Linux, and of course I want to pull the latest updates from the network, since the DVD I have is obviously out of date. So I run yum (this is RHEL5), and after the updates are downloaded but before they get installed I get the following error:

warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 37017186
Public key for gnutls-devel-1.4.1-3.el5_4.8.x86_64.rpm is not installed

Hmm. Some hunting around on Google and it’s not immediately obvious what the problem is. But here are a couple hints: (1) the first line is a warning, and isn’t where yum dies at. (2) the second line is one of the packages I’m trying to upgrade.

It turns out that the warning really is the key to the problem. A read through “man rpm” indicates that the RPMs I’m trying to install are signed, but the key to validate the signature isn’t present. (I would think of these as similar to x509 CA certificates, but GPG calls them public keys.) So OK, where do I get the key from? It’s already on my server in the /etc/pki/rpm-gpg directory, but the rpm command it hasn’t yet been told that it can use that key. To do that, run the command “rpm –import /etc/pki/rpm/gpg/RPM*” to import all the keys in that directory into the RPM database. Note that the “import” flag has two leading dashes, which is typically for an option with a long name. You probably need only the file “RPM-GPG-KEY-release”, so you can be more selective with the import if you wish. The rest of this article assumes you weren’t selective.

Keep reading “man rpm” in the section titled “Digital signature and digest verification”, and you’ll see that the key you just imported can be managed like an regular RPM. Do a “rpm -qa gpg-pubkey*” and you can see ones like the following:


And do you see that one of these, “gpg-pubkey-37017186-45761324”, matches the “37017186” back in the first warning at the top? Run yum again, and the updated RPMs get installed. Success!

Want to verify you got the right key installed? Treat it like an RPM.

$ rpm -qi gpg-pubkey-37017186-45761324
Name        : gpg-pubkey                   Relocations: (not relocatable)
Version     : 37017186                          Vendor: (none)
Release     : 45761324                      Build Date: Mon 10 May 2010 01:49:25 PM EDT
Install Date: Mon 10 May 2010 01:49:25 PM EDT      Build Host: localhost
Group       : Public Keys                   Source RPM: (none)
Size        : 0                                License: pubkey
Signature   : (none)
Summary     : gpg(Red Hat, Inc. (release key) )

Note that the version says “37017186” (per the first warning above) and the summary says it is the release key (which comes from the filename /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release).

Want to clean up the other keys you probably don’t need? With names like “auxilary”, “beta”, and “former”, you probably don’t need them. Just keep the release key. So again, treat them like an RPM item:

# rpm -e gpg-pubkey-2fa658e0-45700c69
# rpm -e gpg-pubkey-db42a60e-37ea5438
# rpm -e gpg-pubkey-897da07a-3c979a7f
# rpm -e gpg-pubkey-42193e6b-4624eff2
# rpm -qa gpg-pubkey*

Now you can cleanly accept signed release updates.