To protect the packages in your Yum repositories on CentOS/Redhat, you can use GPG (GNU Privacy Guard) to sign the RPM packages and verify their signatures before installing them. Here are the steps:
- Install the necessary packages to support GPG signing and verification:
sudo yum install gnupg2
- Generate a GPG key pair that will be used to sign packages. You can do this by running the following command:
gpg2 --gen-key
Follow the prompts to generate a new key pair. Be sure to choose a strong passphrase for your key.
- Export the public key for your GPG key pair, which will be used to verify the signature on packages. You can do this by running the following command:
gpg2 --export --armor <KEY_ID> > mykey.asc
Replace <KEY_ID> with the ID of the GPG key you generated in step 2.
- Copy the
mykey.ascfile to the Yum repository’s GPG keyring directory:
sudo cp mykey.asc /etc/pki/rpm-gpg/
- Create a new Yum repository configuration file (if one does not already exist) in the
/etc/yum.repos.d/directory. For example, you could create a file calledmyrepo.repowith the following contents:
[myrepo]
name=My Repository
baseurl=http://example.com/myrepo
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/mykey.asc
This tells Yum to check for a signature on all packages installed from the myrepo repository, and to use the GPG key located at /etc/pki/rpm-gpg/mykey.asc to verify the signature.
- Import the public key for any third-party repositories that you want to trust. For example, to import the EPEL repository’s key, you can run the following command:
sudo rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
This imports the EPEL repository’s key into your system’s GPG keyring so that you can verify the signature on packages installed from the EPEL repository.
That’s it! With GPG signing and verification in place, Yum will only install packages from trusted repositories with valid signatures. If a package has been tampered with, its signature will not match and Yum will refuse to install it.