Where to Find Custom RPM GPG Keys in RHEL/CentOS 6: Storage Location and Management


2 views

Many RHEL/CentOS 6 administrators encounter this scenario: you've successfully imported a GPG key using rpm --import, but when you search through /etc/pki/rpm-gpg/, the key is nowhere to be found. The confusion stems from how RPM actually stores these imported keys.

Unlike package files which get stored in the filesystem, RPM manages imported GPG keys in its own database. When you execute:

rpm --import nginx_signing.key

The key gets stored in RPM's internal database rather than as a separate file. You can verify this by querying RPM:

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'

To view details of an imported key (like the nginx key in your example):

rpm -qi gpg-pubkey-7bd9bf62-4e4e3262

This will display the complete public key block along with metadata, exactly as shown in your example output.

If you need the key in file format (for backup or redistribution), use:

rpm -q gpg-pubkey-7bd9bf62-4e4e3262 --qf '%{description}' > nginx_signing.key

The /etc/pki/rpm-gpg/ directory typically contains:

  • Default distribution GPG keys that come with the OS installation
  • Keys placed there manually by administrators
  • Keys from some third-party repositories that use package installation

Keys imported via rpm --import won't appear here unless explicitly copied.

For the nginx repository specifically, here's the complete workflow:

# Download the key
wget http://nginx.org/keys/nginx_signing.key

# Import into RPM
rpm --import nginx_signing.key

# Verify import
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep nginx

To maintain proper key hygiene:

  1. Document all imported keys (name, fingerprint, source)
  2. Consider backing up keys extracted from RPM's database
  3. Regularly audit imported keys with rpm -qa gpg-pubkey*
  4. Remove obsolete keys with rpm -e gpg-pubkey-7bd9bf62-4e4e3262

When you import a GPG key using rpm --import on CentOS/RHEL 6 systems, the key gets stored in RPM's internal database rather than as a separate file in /etc/pki/rpm-gpg/. This behavior often confuses administrators who expect to find physical key files.

To confirm your nginx key was properly imported, run:

rpm -qa gpg-pubkey*

For detailed key information (as shown in your example):

rpm -qi gpg-pubkey-7bd9bf62-4e4e3262

RPM maintains imported GPG keys in its Berkeley DB database located at:

/var/lib/rpm/Pubkeys

This binary file contains all imported public keys. To extract a specific key:

rpm -q gpg-pubkey-7bd9bf62-4e4e3262 --qf "%{description}\n" > nginx_signing.key

For backup purposes, always keep the original key file:

wget http://nginx.org/keys/nginx_signing.key
cp nginx_signing.key /etc/pki/rpm-gpg/

To re-import if needed:

rpm --import /etc/pki/rpm-gpg/nginx_signing.key

RPM's design centralizes key management for:

  • Better security through database access controls
  • Faster package verification
  • Simpler key revocation processes

If a key isn't being recognized:

rpm --rebuilddb

To completely remove a key:

rpm -e gpg-pubkey-7bd9bf62-4e4e3262