rpmkeys

List all imported RPM keys. Also outputs its Key ID needed for deleting a imported RPM key

$ sudo rpmkeys --list

$ sudo rpmkeys --delete [5a278d9c-5bbc73cb]

$ sudo rpmkeys --import [path/to/rpm_key]

rpmkeys [OPTION...] [PACKAGE_FILE...]
rpmkeys --import FILE...
rpmkeys --list
rpmkeys --delete KEYID...

PACKAGE_FILE...
    Specifies one or more RPM package files whose GPG signatures should be verified. This is often the default operation when no other key-related options like --import or --list are provided.

--import FILE...
    Imports one or more GPG public keys from the specified FILEs into the RPM database. These keys will then be used to verify package signatures.

--list
    Lists all GPG public keys currently imported into the RPM database, displaying their key IDs, summaries, and creation dates.

--delete KEYID...
    Deletes one or more GPG public keys, identified by their KEYID (e.g., '0xABCDEF01'), from the RPM database. Use with caution as this removes trust for packages signed with these keys.

--checksig
    Explicitly instructs rpmkeys to perform signature checking on the specified PACKAGE_FILEs. This is equivalent to using rpm -K.

--quiet
    Suppresses non-error messages, making the command output minimal.

--verbose
    Increases the verbosity of the output, providing more detailed information during operations, such as signature verification results.

--root DIR
    Specifies an alternative root directory for the RPM database. All operations are then performed relative to this directory.

--dbpath PATH
    Specifies an alternative path to the RPM database. This overrides the default database location derived from --root.

The rpmkeys command provides a dedicated interface for handling GPG public keys within the RPM ecosystem. It enables users to securely import new keys, list existing trusted keys, and critically, verify the digital signatures of RPM packages. By performing these operations, rpmkeys plays an essential role in ensuring the authenticity and integrity of software installed on RPM-based systems. It helps mitigate risks associated with tampered or unverified packages, thereby enhancing system security and preventing the installation of unauthorized or corrupted software.

On many Linux distributions, rpmkeys is not a standalone executable but rather a symbolic link or a wrapper script to rpm --checksig. For importing, listing, or deleting keys, the rpm command itself with --import, -qa gpg-pubkey*, or --erase gpg-pubkey-KEYID is typically used. Key import and deletion usually require root privileges. Always ensure that GPG keys are obtained from trusted sources to prevent security compromises.

RPM's security model relies on a chain of trust established through GPG public keys. When a key is imported using rpmkeys --import (or rpm --import), the system implicitly trusts any package signed by that corresponding private key. This trust is fundamental to verifying package integrity and authenticity. It is paramount to only import keys from officially sanctioned and verifiable sources.

Proper management of RPM GPG keys is a critical security practice. Failing to verify package signatures (e.g., by disabling checks or ignoring warnings) or importing untrusted keys can expose a system to significant risks. Malicious actors could distribute tampered packages that install backdoors, malware, or compromise system stability. rpmkeys provides the tools necessary to maintain a secure package environment.

The concept of cryptographic signature verification was integrated into the RPM Package Manager early in its development by Red Hat to enhance software distribution security. While the core functionality has always resided within the rpm command, utilities like rpmkeys (or its equivalent in direct rpm invocations) emerged to highlight and simplify the crucial aspect of GPG key management and package signature checking. This evolution reflects the growing importance of securing software supply chains against tampering and unauthorized distribution.

rpm(8), gpg(1)