Package Verification Keys for CentOS SCL RPMs

Question

This is probably a silly question, but...

Our security folks prefer that we enable GPG-checking for all RPMs to be installed. We've recently started using packages from the CentOS.Org packaging of Software Collections. When I try to install these, yum helpfully yells at me about not having verifiable keys. When I look at the CentOS.Org site's page concerning GPG keys, the SCL packages are shown as having a key/fingerprint, but, unlike the other keys listed on that page, there's no download link.

Is the GPG verification key simply not available or am I simply missing something blindingly obvious? At any rate, any help in tracking down a checking-key that I can install to my systems would be of great assistance.

Answer 1

Each SIG has its own key, and the public key is distributed in the -release package in the CentOS Extras repository. The Extras repo packages are then signed by the main "CentOS 7 Signing Key" from CentOS GPG Keys.

The key for the SCLo SIG (special interest group) is missing from the main CentOS keys list, but it is still available in the release package.

Run yum install centos-release-scl (from Extras) to automatically configure the repository and public key.

Or if you want a copy of the public key itself, you can extract and verify it from the centos-release-scl package by hand:

1. Download the centos-release-scl RPM directly, or use yumdownloader centos-release-scl (from yum-utils).

2. Verify the file against the regular CentOS key:

   $ rpm -K centos-release-scl-2-2.el7.centos.noarch.rpm
   centos-release-scl-2-2.el7.centos.noarch.rpm: rsa sha1 (md5) pgp md5 OK
   

3. Extract the key from the RPM into SCLo.pub:

   $ rpm2cpio centos-release-scl-2-2.el7.centos.noarch.rpm | cpio -i --to-stdout ./etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-SCLo > SCLo.pub