I am trying to add an external repository inside the yum.repos.d directory.
The packages and metadata for that repository are signed with a gpg key.
In case it's relevant, I'm on CentOS 7.2
So far as I can tell, the traditional way to set up the repository is to include a link to the gpg key inside the repository file.
That is, the file example.repo inside /etc/yum.repos.d contains the line:
gpgkey = https://example.com/repo/key
Then if you run yum update, you get a [y/N] prompt to import the GPG key, and if instead you run yum -y update the key gets imported automatically. So far so normal.
As an experiment, I tried removing the gpg-key download link from the repo file, and instead adding the key manually.
wget -O key https://example.com/repo/key
rpm --import key
and verify with
rpm -qa gpg-pubkey*
My expectation was that this would enable yum update to go through without raising the [y/N] prompt. But it didn't work – I still got the prompt asking me to import the key which I already imported. I tried in addition, removing the gpgkey entry from the repo file, but in that case yum update simply threw an error (since I also have gpgcheck = 1 and repo_gpgcheck = 1).
Why does this matter? Well, it seems to me that if you want to automate this process, then you are required to trust the https transport through which the key is downloaded. That's fine, but then the GPG key is not really adding any security, beyond verifying that the package downloaded properly.
In short, I think either I'm missing a trick to make yum recognize that I already imported the key, or the GPG keys really aren't adding much beyond plain old https. Any clues?
Best Answer
This is a cargo-cult workaround that seems to work for automating key import: