2009-09-09

Practical Post: How to figure out RPM Key ID

Ok so you have a lot of RPMs on a system and you don't know where they came from. There are several clues that you can use:

1) Repotag. An example of this is from the RPMforge website:


rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

There have been lots of arguments for and against repotags. I like them, but I realize that they are only good for a cursory glance of where a package might have come from. The real way is via the ...

2) GPG signature. The GPG signature is something that is usually stored in the *-release package of a repository. They need to be imported so that packages will cleanly install with yum as it usually will check that a package is signed before installing.


<3174>smooge> rpm -qf /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
epel-release-4-9
<3175>smooge> rpm -qif /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
Name : epel-release Relocations: (not relocatable)
Version : 4 Vendor: Fedora Project
Release : 9 Build Date: Fri Apr 25 14:58:25 2008
Install Date: Sat Apr 26 05:16:54 2008 Build Host: ppc2.fedora.redhat.com
Group : System Environment/Base Source RPM: epel-release-4-9.src.rpm
Size : 22091 License: GPL
Signature : DSA/SHA1, Fri Apr 25 18:03:52 2008, Key ID 119cc036217521f6
Packager : Fedora Project
URL : http://download.fedoraproject.org/pub/epel
Summary : Extra Packages for Enterprise Linux repository configuration
Description :
This package contains the Extra Packages for Enterprise Linux (EPEL) repository
GPG key as well as configuration for yum and up2date.
<3176>smooge> rpm -Vf /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
<3177>smooge> cat /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL | gpg --with-fingerprint
pub 1024D/217521F6 2007-03-02 Fedora EPEL
Key fingerprint = B940 BE07 7D71 0A28 7D7F 2DD1 119C C036 2175 21F6
sub 2048g/B6610DAF 2007-03-02 [expires: 2017-02-27]



Notice that the last 4 octets (119C C036 2175 21F6) match the Key ID 119cc036217521f6. You should also check with a keyserver to make sure that the signature is properly registered and available for comparison.. but for the case of this short blog, I think I have covered enough. Now you can figure out what packages came from that repository:


<3179>smooge> rpm -qa --qf '%{NAME} %{SIGGPG:pgpsig} %{SIGPGP:pgpsig} \n' | grep 119cc036217521f6 | sort
GeoIP DSA/SHA1, Mon Mar 9 12:17:52 2009, Key ID 119cc036217521f6 (not a blob)
alpine DSA/SHA1, Fri Feb 6 10:26:14 2009, Key ID 119cc036217521f6 (not a blob)
augeas-libs DSA/SHA1, Tue Jul 14 08:33:50 2009, Key ID 119cc036217521f6 (not a blob)
epel-release DSA/SHA1, Fri Apr 25 18:03:52 2008, Key ID 119cc036217521f6 (not a blob)
facter DSA/SHA1, Fri Jun 5 15:46:51 2009, Key ID 119cc036217521f6 (not a blob)
firmware-tools DSA/SHA1, Sun May 17 19:57:53 2009, Key ID 119cc036217521f6 (not a blob)
mod_geoip DSA/SHA1, Mon Mar 9 12:17:52 2009, Key ID 119cc036217521f6 (not a blob)
perl-File-Which DSA/SHA1, Mon Jul 21 15:04:38 2008, Key ID 119cc036217521f6 (not a blob)
perl-PAR-Dist DSA/SHA1, Wed Dec 19 09:59:17 2007, Key ID 119cc036217521f6 (not a blob)
perl-YAML DSA/SHA1, Sat Jan 19 03:09:04 2008, Key ID 119cc036217521f6 (not a blob)
puppet DSA/SHA1, Wed Mar 25 03:28:58 2009, Key ID 119cc036217521f6 (not a blob)
python-decoratortools DSA/SHA1, Mon Sep 22 12:20:26 2008, Key ID 119cc036217521f6 (not a blob)
rpmdevtools DSA/SHA1, Fri Mar 2 16:03:43 2007, Key ID 119cc036217521f6 (not a blob)
ruby-augeas DSA/SHA1, Fri Aug 14 15:33:21 2009, Key ID 119cc036217521f6 (not a blob)



This is probably one of the most authentic ways of doing this. There should be a way to make a yum or apt plugin that does this automatically.. Hope this helps for the moment.

(EDITED 2009-09-10T19:57+0000 ): Various people (thanks Seth Vidal) have pointed out that there are a couple of tools to do this also:
  1. Newer yum will show items that were installed outside of anaconda and what repository they are from.
  2. Older versions can use the scripts find-repos-of-install.py from yum-utils.