Centos – What are gpg-pubkey* packages

centosfedoragpgrhelrpm

I compared the packages list reported by RPM and YUM on a CentOS 6 and 7. I noticed the lists were slightly different (same issue with RHEL). See Listing installed packages with yum and rpm mismatch on how to compare theRPM and YUM lists). The difference was just packages named gpg-pubkey:

$ rpm -qa gpg-pubkey*
gpg-pubkey-f4a80eb5-53a7ff4b
gpg-pubkey-352c64e5-52ae6884

What are those packages? where do they come from? Can I remove those packages?

Best Answer

The packages named gpg-pubkey* are fake RPM packages to store and manage the rpm keys. The manpage rpmkeys(8) mention how to list and remove those keys. There is also a YUM addon (package yum-plugin-keys):

$ yum keys
Key owner                                     Key email                Repo        Key ID
CentOS-7 Key (CentOS 7 Official Signing Key)  security@centos.org      installed   f4a80eb5-53a7ff4b
Fedora EPEL (7)                               epel@fedoraproject.org   installed   352c64e5-52ae6884
keys done

Alternatively, you can use RPM to list the keys in a compact view:

$ rpm -qa --scripts  gpg-pubkey* --qf '%{Version}-%{Release}  %{Packager}\n'
4a80eb5-53a7ff4b   CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>
352c64e5-52ae6884  Fedora EPEL (7) <epel@fedoraproject.org>

When a key is imported by the system administrator (using rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7, rpmkeys or yum install) the fake package is created (read where does rpm install custom gpg keys?).

Removing those keys is a good idea, if you purged all packages from that packager/provider/repo, since it will prevent the system from installing or upgrading any package from that repo.

Removing those keys is a bad idea, if you haven't purged all packages from that packager/provider/repo, since it will prevent the system from installing or upgrading any package from that repo.

Related Question