Ask Your Question
2

Confusion with RPM Fusion's signing keys.

asked 2013-12-27 18:06:09 -0500

Black_Bucket gravatar image

updated 2013-12-27 22:43:02 -0500

Hello. I'm a little confused about RPM Fusion and it's signing keys. I've been reading something about PGP, but in general terms I am illiterate with respect to cryptography.

What I understand by what I've read is that each package in RPM Fusion has associated a GPG Signature such that, before the package is installed, yum verifies. This is to check integrity of the package.

But here is where I get confused: it seems that you can also check the integrity of the whole RPM Fusion repo, so you are given the fingerprint keys to compare them after you have installed the repo.

So my questions would be:

  1. Is what I wrote above correct or I am misunderstanding something?
  2. If I understood well then, how can I check the fingerprint of RPM Fusion?
  3. The instruction to install the repos is to type the following command: su -c 'yum localinstall --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm'. So I wonder: if I remove the --nogpgcheck option in the command above, do I not spare the after-installation gpg key checking?
  4. How necessary is it really to check the repo's keys? I'm asking this because the Livna repo (which I also plan to install since it is complementary to RPM Fusion) does not provide any.

Thank you and excuse me for this long post.

edit retag flag offensive close merge delete

Comments

Livna is now obsolete... for security all repository should include a gpg key...

davidva gravatar imagedavidva ( 2013-12-27 23:22:23 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted
2

answered 2014-01-03 17:20:36 -0500

sergiomb gravatar image

in reply of point 3:

yes you may install key before, go to http://rpmfusion.org/keys

download and save to disk key that you want, F21 for example , you will save RPM-GPG-KEY-rpmfusion-free-fedora-21 after that as root just do:

rpm --import RPM-GPG-KEY-rpmfusion-free-fedora-21

now you can install rpmfusion free release packages without --nogpgcheck

edit flag offensive delete link more
2

answered 2013-12-27 23:42:41 -0500

FranciscoD_ gravatar image

Most of what you've written is correct. A GPG key pair is two keys: a public and private key. All packages from any repositories should be signed with the private key and yum uses this to check it against the public key that each repository provides. To see what gpg keys a repository provides, you can check the /etc/pki/rpm-gpg/ directory.

http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-check-rpm-sig.html has more info on verifying packages.

Yum verifies the gpg key or each package before installing it.

When you install the rpmfusion repository, you use --nogpgcheck to ask yum to not verify the gpg signature for this particular transaction only, not all the other packages that you'll install later from rpmfusion. If you don't provide this option, you'll likely get an error since you haven't got the gpg key information for the rpmfusion-release rpms on your system already.

Livna is all but obsolete. As far as I know, it only one package: libdvdcss2.

It's a good idea to use repositories that you trust, and that sign their packages. It helps protect you against attacks, such as the man in the middle attack

edit flag offensive delete link more

Comments

1

Okay, so I don't install Livina unless I need to play DVDs. Would you say that the repos I have installed - Fedora, Fedora Updates, RPM Fusion Free + Updates, RPM Fusion NonFree + Updates- are enough or I'm lacking another one?

Black_Bucket gravatar imageBlack_Bucket ( 2013-12-28 14:48:51 -0500 )edit

Should be sufficient. If there is software that isn't in any of these, it'll only be because no one has decided to package it up yet.

FranciscoD_ gravatar imageFranciscoD_ ( 2013-12-28 18:20:11 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2013-12-27 18:06:09 -0500

Seen: 5,552 times

Last updated: Jan 03 '14