How to Properly Remove a YUM Repository GPG Key in RHEL/CentOS Systems


2 views

When you first encounter a GPG-signed repository with YUM, the package manager will typically prompt you to accept the key before proceeding. This key gets stored in the RPM database, not just in the repository configuration. That's why simply clearing cache or modifying repo files doesn't remove the key entirely.

First, verify the key exists in your RPM database:

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep 12345678

This will show output like:

gpg-pubkey-12345678-5e3006fb    gpg(John Doe <jdoe@example.com>)

To properly remove the key, you need to delete it from RPM's database:

sudo rpm -e --allmatches gpg-pubkey-12345678

Then clean your YUM cache:

sudo yum clean all
sudo rm -rf /var/cache/yum/*

Here's an Ansible playbook snippet to handle this removal:

- name: Remove existing GPG key
  become: yes
  command: rpm -e --allmatches gpg-pubkey-12345678
  ignore_errors: yes

- name: Clean yum cache
  become: yes
  command: yum clean all

- name: Remove cached metadata
  become: yes
  file:
    path: /var/cache/yum
    state: absent

To test that the removal was successful and the prompt will reappear:

sudo yum --disablerepo="*" --enablerepo="artifactory" check-update

You should see the GPG key prompt again if the removal was successful.

To disable automatic GPG key imports system-wide, edit /etc/yum.conf:

[main]
...
gpgcheck=1
repo_gpgcheck=1
localpkg_gpgcheck=1
assumeyes=0

This ensures YUM will always prompt for key acceptance rather than importing automatically.

When working with custom RPM repositories in Artifactory, GPG key management becomes crucial for package verification. The moment you encounter a prompt like:

Retrieving key from https://artifactory.example.com/myrepo/repodata/repomd.xml.key
Importing GPG key 0x12345678:
 Userid     : "John Doe "
 Fingerprint: 1234 5678 90ab cdef 1234 5678 90ab cdef 1234 5678
 From       : https://artifactory.example.com/myrepo/repodata/repomd.xml.key

The key gets stored in the RPM database, not just the repo configuration.

To fully remove a GPG key from your system, you need to:

  1. Clear the RPM database record
  2. Clean YUM caches
  3. Update repo configurations

First, identify the exact key you want to remove:

rpm -qa gpg-pubkey*
rpm -qi gpg-pubkey-12345678-abcdef12

Then remove it using RPM:

sudo rpm -e gpg-pubkey-12345678-abcdef12

For infrastructure automation, use this Ansible playbook snippet:

- name: Remove specific GPG key
  rpm_key:
    state: absent
    key: "12345678abcdef12"
  when: "'gpg-pubkey-12345678-abcdef12' in ansible_facts.packages"

After removal, running yum check-update should prompt for key acceptance again:

sudo yum clean all
sudo rm -rf /var/cache/yum
sudo yum check-update

If you need to test key acceptance behavior without permanent removal:

sudo mv /etc/pki/rpm-gpg/RPM-GPG-KEY-artifactory /tmp/
sudo yum clean expire-cache

For production environments, consider setting gpgcheck=0 temporarily in your repo file:

[artifactory]
name=Artifactory
baseurl=https://artifactory.example.com/myrepo
enabled=1
gpgcheck=0