Ask Your Question
1

How do I verify authenticity of a key offered to me by RPM for a COPR repository?

asked 2016-12-24 04:13:24 -0500

nmbooker gravatar image

I've enabled a COPR repository thus:

$ sudo dnf copr enable heliocastro/hack-fonts

On installation as usual I'm asked for a GPG key for the new repository by dnf.

warning: /var/cache/dnf/heliocastro-hack-fonts-2beaea60448251cf/packages/hack-fonts-2.020-2.fc24.noarch.rpm: Header V3 RSA/SHA1 Signature, key ID f9cd097a: NOKEY
Importing GPG key 0xF9CD097A:
 Userid     : "heliocastro_hack-fonts (None) <heliocastro#hack-fonts@copr.fedorahosted.org>"
 Fingerprint: 8A78 B415 C2E8 C7FD 6C33 A6C3 A288 BD40 F9CD 097A
 From       : https://copr-be.cloud.fedoraproject.org/results/heliocastro/hack-fonts/pubkey.gpg
Is this ok [y/N]: 

What I'd like to do is check that the user in question is indeed the owner of the key. I've looked through the tabs on the copr page https://copr.fedorainfracloud.org/cop... with no sign. Checking heliocastro's key linked from FAS admin https://admin.fedoraproject.org/accou... gives me his personal key https://keys.fedoraproject.org/pks/lo... .

For Fedora itself, there's an authoritative copy of the RPM key fingerprints on Fedora's main, HTTPS-hosted packages sites.

I've tried substituting the key id from DNF in the keys.fedoraproject.org url above but get 'no keys found': https://keys.fedoraproject.org/pks/lo...

How do I find an authoritative fingerprint and id for the key associated with this repository, or otherwise verify the package was built by the right person?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
3

answered 2016-12-24 04:40:09 -0500

msuchy gravatar image
# dnf install distribution-gpg-keys-copr

This package is signed by Fedora main gpg key.

Then the gpg key for heliocastro/hack-fonts is in

/usr/share/distribution-gpg-keys/copr/copr-heliocastro-hack-fonts.gpg

Note that in this package are GPG keys of projects which are at least several months old. It take some time to get there new projects.

edit flag offensive delete link more

Comments

Thankyou. Just for completeness, here is what I did with that:

$ gpg --import /usr/share/distribution-gpg-keys/copr/copr-heliocastro-hack-fonts.gpg
$ gpg --fingerprint 0xF9CD097A

and the fingerprint matched that reported by RPM. Good enough for me! Thanks.

nmbooker gravatar imagenmbooker ( 2016-12-24 05:11:44 -0500 )edit

Question Tools

1 follower

Stats

Asked: 2016-12-24 04:13:01 -0500

Seen: 1,201 times

Last updated: Dec 24 '16