Ask Your Question
2

Confusion with RPM Fusion's signing keys.

asked 2013-12-27 18:06:09 -0600

Black_Bucket gravatar image

updated 2013-12-27 22:43:02 -0600

Hello. I'm a little confused about RPM Fusion and it's signing keys. I've been reading something about PGP, but in general terms I am illiterate with respect to cryptography.

What I understand by what I've read is that each package in RPM Fusion has associated a GPG Signature such that, before the package is installed, yum verifies. This is to check integrity of the package.

But here is where I get confused: it seems that you can also check the integrity of the whole RPM Fusion repo, so you are given the fingerprint keys to compare them after you have installed the repo.

So my questions would be:

  1. Is what I wrote above correct or I am misunderstanding something?
  2. If I understood well then, how can I check the fingerprint of RPM Fusion?
  3. The instruction to install the repos is to type the following command: su -c 'yum localinstall --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm'. So I wonder: if I remove the --nogpgcheck option in the command above, do I not spare the after-installation gpg key checking?
  4. How necessary is it really to check the repo's keys? I'm asking this because the Livna repo (which I also plan to install since it is complementary to RPM Fusion) does not provide any.

Thank you and excuse me for this long post.

edit retag flag offensive close merge delete

Comments

Livna is now obsolete... for security all repository should include a gpg key...

davidva gravatar imagedavidva ( 2013-12-27 23:22:23 -0600 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
2

answered 2014-01-03 17:20:36 -0600

sergiomb gravatar image

in reply of point 3:

yes you may install key before, go to http://rpmfusion.org/keys

download and save to disk key that you want, F21 for example , you will save RPM-GPG-KEY-rpmfusion-free-fedora-21 after that as root just do:

rpm --import RPM-GPG-KEY-rpmfusion-free-fedora-21

now you can install rpmfusion free release packages without --nogpgcheck

edit flag offensive delete link more
add a comment
2

answered 2013-12-27 23:42:41 -0600

FranciscoD_ gravatar image

Most of what you've written is correct. A GPG key pair is two keys: a public and private key. All packages from any repositories should be signed with the private key and yum uses this to check it against the public key that each repository provides. To see what gpg keys a repository provides, you can check the /etc/pki/rpm-gpg/ directory.

http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-check-rpm-sig.html has more info on verifying packages.

Yum verifies the gpg key or each package before installing it.

When you install the rpmfusion repository, you use --nogpgcheck to ask yum to not verify the gpg signature for this particular transaction only, not all the other packages that you'll install later from rpmfusion. If you don't provide this option, you'll likely get an error since you haven't got the gpg key information for the rpmfusion-release rpms on your system already.

Livna is all but obsolete. As far as I know, it only one package: libdvdcss2.

It's a good idea to use repositories that you trust, and that sign their packages. It helps protect you against attacks, such as the man in the middle attack

edit flag offensive delete link more

Comments

1

Okay, so I don't install Livina unless I need to play DVDs. Would you say that the repos I have installed - Fedora, Fedora Updates, RPM Fusion Free + Updates, RPM Fusion NonFree + Updates- are enough or I'm lacking another one?

Black_Bucket gravatar imageBlack_Bucket ( 2013-12-28 14:48:51 -0600 )edit

Should be sufficient. If there is software that isn't in any of these, it'll only be because no one has decided to package it up yet.

FranciscoD_ gravatar imageFranciscoD_ ( 2013-12-28 18:20:11 -0600 )edit
add a comment

Question Tools

subscribe to rss feed

Stats

Asked: 2013-12-27 18:06:09 -0600

Seen: 5,607 times

Last updated: Jan 03 '14

Related questions

Can "Software" list packages from rpm fusion?

Why RpmFusion is installed if no key is installed ?

FC15 yum fedora repo recovery

F20: Unable to make prepare on kernel source

Second monitor is incorrect size

samba & firewall problem on fedora20

How to install variety on fedora 20

username on top panel

Unable to change static IP

authenticate dialog rejects root password

Ask Fedora is community maintained and Red Hat or Fedora Project is not responsible for content. Content on this site is licensed under a CC-BY-SA 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2