How to configure GPG Keys in Yum

ARTIFACTORY: How to configure GPG Keys with Artifactory Remote Repositories

AuthorFullName__c
Shisiya Sebastian
articleNumber
000005583
ft:sourceType
Salesforce
FirstPublishedDate
2023-02-19T10:14:13Z
lastModifiedDate
2023-02-19
VersionNumber
1
If you want to enable GPG signature checks enabled in your yum clients, please make sure to specify the GPG public Key URL from the upstream repository in your yum client configuration.
gpgcheck=1
gpgKey=<URL to GPG public key>

Below snippet is a mirror for the ElasticSearch repository, using rpm remote repository mysearchrpm with the upstream URL as "https://artifacts.elastic.co/packages/8.x/yum".

Based on the elasticsearch document here, we need to add the repository to the yum repo configuration /etc/yum.repos.d/artifactory.repo as follows.
[Artifactory]
name=Artifactory
baseurl=http://username:password_encoded@ARTIFACTORY_HOST:8081/artifactory/mysearchrpm/
enabled=1
gpgcheck=1
#Optional - if you have GPG signing keys installed, use the below flags to verify the repository metadata signature:
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
repo_gpgcheck=1

Here, gpgcheck=1 is set to verify the packages and repo_gpgcheck=1 is set to verify the metadata from the repository. Since both the packages and metadata are signed using the same key, you can specify that GPGkey URL in the repo configuration as above. Since the GPGKeys are not already imported to the yum repository, it will ask for confirmation.

Sample snippet of downloading a package from the Artifactory Elasticsearch repo:
yum install filebeat --disablerepo="*" --enablerepo="Artifactory"

User-added image


Alternatively, you can download the package and import GPG Key or you can directly import the GPG key from the upstream URL using the command below.
rpm --import <GPG_KEY_PATH>/<GPG_KEY_URL>

For Example:
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch