Thread: public keys
I’m trying to do a cold yum install of postgresql 12 rpm’s, but do not want to use '--nogpgcheck' when doing so.
Where can I get the public keys?
J
Jess
p.s. Thanks in advance!
Jesse F. Josserand | Sr. Systems Architect/SysAdmin/DB Analyst
|
/etc/pki/rpm-gpg
/etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG
/etc/yum.repos.d/pgdg-fedora-all.repo
pub dsa1024 2008-01-08 [SCA]
68C9 E2B9 1A37 D136 FE74 D176 1F16 D2E1 442D F0F8
uid [ unknown] PostgreSQL RPM Building Project <pgsqlrpms-hackers@pgfoundry.org>
sub elg2048 2008-01-08 [E]
Thank you!
Jesse F. Josserand | Sr. Systems Architect/SysAdmin/DB Analyst
|
From: Craig Ringer <craig.ringer@enterprisedb.com>
Sent: Thursday, November 19, 2020 8:06 PM
To: Josserand, Jesse F (NE) <Jesse.Josserand@GDIT.com>
Cc: pgsql-pkg-yum@postgresql.org
Subject: Re: public keys
| [External: Use caution with links & attachments] |
On Fri, Nov 20, 2020 at 1:12 AM Josserand, Jesse F (NE) <Jesse.Josserand@gdit.com> wrote:
I’m trying to do a cold yum install of postgresql 12 rpm’s, but do not want to use '--nogpgcheck' when doing so.
Where can I get the public keys?
I don't know what you mean by a "cold" install.
The keys are packaged in the repo-rpms.
$ rpm -ql pgdg-fedora-repo
/etc/pki/rpm-gpg
/etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG
/etc/yum.repos.d/pgdg-fedora-all.repo
They're also available from the repository itself:
The key you want is:
$ gpg --fingerprint 1F16D2E1442DF0F8
pub dsa1024 2008-01-08 [SCA]
68C9 E2B9 1A37 D136 FE74 D176 1F16 D2E1 442D F0F8
uid [ unknown] PostgreSQL RPM Building Project <pgsqlrpms-hackers@pgfoundry.org>
sub elg2048 2008-01-08 [E]
It should probably be published prominently on yum.postgresql.org by key-id and fingerprint, so it can be verified somewhat independently of the actual download repos, but AFAICS ( https://www.google.com/search?q=site%3Ayum.postgresql.org+1F16D2E1442DF0F8 ) it is not.
so consider filing an issue for that:
I also note that nobody's signed the key to attest its validity on the keyservers. That's not necessarily required for rpms, but might be a good idea. When I get a chance to verify it with Devrim via a side channel I'll sign it and push my signature.