RPM & Yum

Yum Miscellany

Yum's configuration file is /etc/yum.conf. The man page yum.conf has details.

Yum Repositories

General

To list the repositories that Yum consults:

-> yum repolist
...
repo id                                   repo name                                          status
adobe-linux-x86_64                        Adobe Systems Incorporated                              2
fedora/20/x86_64                          Fedora 20 - x86_64                                 38,597
rpmfusion-free/20/x86_64                  RPM Fusion for Fedora 20 - Free                       468
...

By default, this report lists only enabled repositories; add option all or disabled to show disabled repositories, too.

For more information about a particular repository, say Fedora:

-> yum repolist -v fedora/20/x86_64 
...
Repo-id      : fedora/20/x86_64
Repo-name    : Fedora 20 - x86_64
Repo-status  : enabled
Repo-revision: 1386924430
Repo-tags    : binary-x86_64
Repo-distro-tags: [cpe:/o:fedoraproject:fedora:20]: Null
Repo-updated : Fri Dec 13 03:55:41 2013
Repo-pkgs    : 38,597
Repo-size    : 38 G
Repo-metalink: https://mirrors.fedoraproject.org/metalink?repo=fedora-20&arch=x86_64
  Updated    : Fri Dec 13 03:55:41 2013
Repo-baseurl : http://mirror.pnl.gov/fedora/linux/releases/20/Everything/x86_64/os/ (58 more)
Repo-expire  : 604,800 second(s) (last: Tue Aug 12 10:21:45 2014)
Repo-filename: /etc/yum.repos.d/fedora.repo
...

Yum determines its repositories by examining the configuration files present under /etc/yum.repos.d. Each file describes a repository to consult. You can use yum-config-manager to see all settings for a repository:

-> yum-config-manager fedora
Loaded plugins: langpacks, refresh-packagekit
================================= repo: fedora =================================
[fedora]
async = True
bandwidth = 0
...
-> yum-config-manager fedora | wc --lines
61

You can also use yum-config-manager to enable or disable a repository:

-> yum-config-manager --enable  adobe-linux-x86_64 > /dev/null
-> yum-config-manager --disable adobe-linux-x86_64 > /dev/null

Or, open the corresponding repo file, and set or unset the enabled parameter.

Adobe Repository

The Adobe repository provides the proprietary Adobe Flash Plugin for Firefox (package flash-plugin).

To add the Adobe repository:

-> rpm --install http://linuxdownload.adobe.com/adobe-release/adobe-release-x86_64-1.0-1.noarch.rpm
warning: /var/tmp/rpm-tmp.Pu2Aut: Header V3 DSA/SHA1 Signature, key ID f6777c67: NOKEY
-> yum repolist adobe*
...
adobe-linux-x86_64                        Adobe Systems Incorporated                         2
...

Adobe signed this package (with key f6777c67), but the package itself contains the corresponding public key to be imported:

-> rpm --query --info adobe-release-x86_64 | grep Signature
Signature   : DSA/SHA1, Fri 01 Apr 2011 01:25:05 PM EDT, Key ID 3a69bd24f6777c67
-> rpm --query gpg-pubkey-f6777c67
package gpg-pubkey-f6777c67 is not installed
-> rpm --query --list adobe-release-x86_64
/etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
/etc/yum.repos.d/adobe-linux-x86_64.repo
-> gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
pub  1024D/F6777C67 2007-02-28 Adobe Systems Incorporated (Linux RPM Signing Key) <secure@adobe.com>
      Key fingerprint = 78A8 75E9 7F09 06BD 6355  73FA 3A69 BD24 F677 7C67

The above warning from rpm when installing adobe-linux-x86_64 reflects this chicken-and-egg conundrum. Adobe does not provide the fingerprint for its public key, so you cannot verify your copy. But you're stuck unless you accept the public key downloaded and unpacked above:

-> rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
-> rpm --query -info gpg-pubkey-f6777c67
Name        : gpg-pubkey
Version     : f6777c67
...
Summary     : gpg(Adobe Systems Incorporated (Linux RPM Signing Key) <secure@adobe.com>)
...

To see the repository's packages:

-> repoquery --repoid adobe-linux-x86_64 '*'
adobe-release-x86_64-0:1.0-1.noarch
flash-plugin-0:11.2.202.394-release.x86_64

To remove Adobe's repository and public key:

-> rpm --erase adobe-release-x86_64 gpg-pubkey-f6777c67

Google Repository

Google's Chrome browser (package google-chrome-stable) has its own repository.

To add the Google repository, first download and verify Google's public key for Linux packages:

-> wget https://dl-ssl.google.com/linux/linux_signing_key.pub
...
-> gpg --with-fingerprint linux_signing_key.pub
pub  1024D/7FAC5991 2007-03-08 Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
      Key fingerprint = 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
...

Check this fingerprint against the published fingerprint on Google's web page, above.

Next, import the verified key into RPM's keyring, and move the key's file into RPM's keyring directory:

-> rpm --import linux_signing_key.pub
-> rpm --query --queryformat "%{name} %{summary}\n" gpg-pubkey-7fac5991
gpg(Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>)
-> mv linux_signing_key.pub /etc/pki/rpm-gpg/RPM-GPG-KEY-google-linux

Finally, create a repo file for Yum:

-> cat <<EOF > /etc/yum.repos.d/google-chrome.repo
[google-chrome]
name=Google
baseurl=http://dl.google.com/linux/chrome/rpm/stable/\$basearch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-google-linux
EOF

There's a variation which omits explicitly downloading and importing Google's signing key. This variation refers rpm to Google's server the first time rpm needs the key. Simply create the following repo file instead of the preceding version; it differs only in the last line:

-> cat <<EOF > /etc/yum.repos.d/google-chrome.repo
[google-chrome]
name=Google
baseurl=http://dl.google.com/linux/chrome/rpm/stable/\$basearch
enabled=1
gpgcheck=1
gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub 
EOF

When you have yum install Chrome for the first time, it will retrieve the key and ask for your approval to import it:

->  yum install google-chrome-stable
...
Public key for google-chrome-stable-36.0.1985.143-1.x86_64.rpm is not installed
...
Retrieving key from https://dl-ssl.google.com/linux/linux_signing_key.pub
Importing GPG key 0x7FAC5991:
 Userid     : "Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>>"
 Fingerprint: 4cca 1eaf 950c ee4a b839 76dc a040 830f 7fac 5991
 From       : https://dl-ssl.google.com/linux/linux_signing_key.pub
Is this ok [y/N]: ...

To see the repository's packages:

-> repoquery --repoid google-chrome '*'
google-chrome-beta-0:37.0.2062.68-1.x86_64
google-chrome-stable-0:36.0.1985.125-1.x86_64
google-chrome-unstable-0:38.0.2114.2-1.x86_64

RPM Fusion Repositories

To add the RPM Fusion free repository (package rpmfusion-free-release), first install the package, then verify the fingerprint of the installed signing key against the published fingerprint:

-> yum install --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm 
-> gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-20
pub  4096R/AE688223 2013-01-01 RPM Fusion free repository for Fedora (20) <rpmfusion-buildsys@lists.rpmfusion.org>
     Key fingerprint = 0017 DDFE FD13 2929 9D55  B1D3 963A 8848 AE68 8223

The package installs additional keys for Fedora 21 and 22; verify these as required.

-> ls --classify /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free* | grep --invert-match @
/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-20-primary
/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-21-primary
/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-22-primary

To install the RPM Fusion nonfree repository (package rpmfusion-nonfree-release), substitute "nonfree" for "free" above:

-> yum install --nogpgcheck http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm 
-> gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-20-primary
pub  4096R/B5F29883 2013-01-01 RPM Fusion nonfree repository for Fedora (20) <rpmfusion-buildsys@lists.rpmfusion.org>
      Key fingerprint = A84D CF58 46CB 10B6 5C47  6C35 63C0 DE8C B5F2 9883

These repositories offer hundreds of packages:

-> yum repolist --disablerepo '*' --enablerepo rpmfusion-*free
...
repo id                     ... repo name                          ... status
rpmfusion-free/20/x86_64    ... RPM Fusion for Fedora 20 - Free    ... 468
rpmfusion-nonfree/20/x86_64 ... RPM Fusion for Fedora 20 - Nonfree ... 203
repolist: 671

RPM Queries

To tell RPM what tags you want a query to report, use option --queryformat. For example:

-> rpm --query --group "Applications/Databases" --queryformat "%{name}: %{summary}\n" | sort
libdb-utils: Command line tools for managing Berkeley DB databases
mariadb: A community developed branch of MySQL
mariadb-libs: The shared libraries required for MariaDB/MySQL clients
mariadb-server: The MariaDB server and related files
sqlite: Library that implements an embeddable SQL database engine

To list the tags for --queryformat:

-> rpm --querytags
ARCH
..
XPM
-> rpm --querytags | wc --lines
189

See section Query Options of the man page for details.

To list the RPM package groups:

-> rpm --query --all --queryformat "%{group}\n" | sort --unique
Amusements/Graphics
...
User Interface/X Hardware Support
-> rpm --query --all --queryformat "%{group}\n" | sort --unique | wc --lines
31

Package Signatures

RPM repositories sign their packages with a private key, and rpm uses corresponding public keys to verify downloaded packages. The local RPM database maintains its own keyring for the repositories rpm searches, and rpm itself is used to manage this keyring.

Fedora signs its packages with a private key specific to each release. For example:

-> rpm --query --group 'Applications/Databases' --queryformat "%-15{name} | %{SIGPGP:pgpsig}\n";
libdb-utils     | RSA/SHA256, Wed 09 Oct 2013 11:51:06 PM EDT, Key ID 2eb161fa246110c1
sqlite          | RSA/SHA256, Tue 10 Jun 2014 12:18:56 PM EDT, Key ID 2eb161fa246110c1
mariadb-libs    | RSA/SHA256, Mon 30 Jun 2014 10:42:50 AM EDT, Key ID 2eb161fa246110c1
mariadb         | RSA/SHA256, Mon 30 Jun 2014 10:43:08 AM EDT, Key ID 2eb161fa246110c1
mariadb-server  | RSA/SHA256, Mon 30 Jun 2014 10:43:21 AM EDT, Key ID 2eb161fa246110c1

RPM verifies a package's signature against the corresponding public key stored under directory /etc/pki/rpm-gpg. The ID above corresponds to the primary key for Fedora 20:

-> gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-primary
pub  4096R/246110C1 2013-05-16
      Key fingerprint = C7C9 A9C8 9153 F201 83CE  7CBA 2EB1 61FA 2461 10C1
uid                            Fedora (20) <fedora@fedoraproject.org>

Other repositories likewise sign their packages and provide a public key for subsequent verification. Directory /etc/pki/rpm-gpg comprises RPM's own keyring. Each of its files holds the public key of a repository:

-> ls -1 --classify /etc/pki/rpm-gpg | grep --invert-match '@' # grep to drop symbolic links
RPM-GPG-KEY-adobe-linux
RPM-GPG-KEY-fedora-20-primary
...
RPM-GPG-KEY-rpmfusion-nonfree-fedora-22-primary
-> file --brief /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-primary 
PGP public key block

Several packages populate this keyring:

-> rpm --query --file /etc/pki/rpm-gpg/* | sort --unique
adobe-release-x86_64-1.0-1.noarch
fedora-release-20-3.noarch
rpmfusion-free-release-20-1.noarch
rpmfusion-nonfree-release-20-1.noarch

Package fedora-release-20-3, in particular, provides Fedora's keys:

-> rpm --query --file /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-primary
fedora-release-20-3.noarch

To see the available GPG keys plus summaries:

-> rpm --query --group "Public Keys" --queryformat "%{name}-%{version}-%{release}: %{summary}\n"
gpg-pubkey-ae688223-50e31483: gpg(RPM Fusion free repository for Fedora (20) ...
gpg-pubkey-b5f29883-50e31701: gpg(RPM Fusion nonfree repository for Fedora (20) ...
gpg-pubkey-246110c1-51954fca: gpg(Fedora (20) ...
gpg-pubkey-f6777c67-45e5b1b9: gpg(Adobe Systems Incorporated (Linux RPM Signing Key) ...

To see the details of a particular key, for example:

-> rpm --query --info gpg-pubkey-f6777c67-45e5b1b9
Name        : gpg-pubkey
Version     : f6777c67
Release     : 45e5b1b9
...

Public keys for RPM are stored as ASCII-armored metadata in an rpm file that is otherwise an empty package. For example:

-> rpm --query --list gpg-pubkey-246110c1-51954fca
(contains no files)
-> rpm --query --info gpg-pubkey-246110c1-51954fca
Name        : gpg-pubkey
Version     : 246110c1
Release     : 51954fca
...
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.11.1 (NSS-3)

mQINBFGVT8oBEADiEFecKV2eDgaIoK6O/+2UxTGYHpVJYHj7Jl2EGHZWJ3jaN2xD
...
=EJ/7
-----END PGP PUBLIC KEY BLOCK-----

To remove a key:

-> rpm --erase gpg-pubkey-f6777c67-45e5b1b9
-> rpm --query gpg-pubkey-f6777c67-45e5b1b9
package gpg-pubkey-f6777c67-45e5b1b9 is not installed

Yum plugin package yum-plugin-keys adds commands keys, keys-info, keys-data, and keys-remove.

-> yum keys 
Loaded plugins: keys, langpacks, refresh-packagekit
Key owner                                      ...  Key ID
Fedora (20)                                    ...  246110c1-51954fca
RPM Fusion free repository for Fedora (20)     ...  ae688223-50e31483
RPM Fusion nonfree repository for Fedora (20)  ...  b5f29883-50e31701
keys done
-> yum keys-info 246110c1-51954fca
Loaded plugins: keys, langpacks, refresh-packagekit
Type       : GPG
Rpm Key ID : 246110c1-51954fca
Key owner  : Fedora (20) 
...
Primary ID : Fedora (20) <fedora@fedoraproject.org>
Algorithm  : RSA (Encrypt or Sign)
Fingerprint: c7c9 a9c8 9153 f201 83ce 7cba 2eb1 61fa 2461 10c1
Key ID     : 2eb161fa246110c1

Removing a Kernel Package

To remove a retired kernel package (should disk space get tight, for example):

-> rpm --query --group "System Environment/Kernel" | grep kernel
kernel-3.15.6-200.fc20.x86_64
kernel-3.15.7-200.fc20.x86_64
kernel-3.15.8-200.fc20.x86_64
-> uname --kernel-release
3.15.8-200.fc20.x86_64
-> yum erase kernel-3.15.6-200.fc20.x86_64
...

RPM Developer Tools

Install the RPM Developer tools package rpmdevtools (Developtment tools) to build the Linux kernel from Fedora source files. (Building requires qt-devel and libXi-devel too.) To configure (as ordinary user):

-> mkdir /scratch/rpmbuild
-> cat > ~/.rpmmacros <<STOP
%_topdir      /scratch/ray/rpmbuild
%_smp_mflags  -j3
%__arch_install_post /usr/lib/rpm/check-rpaths /usr/lib/rpm/check-buildroot
STOP
-> rpmdev-setuptree

This will create directory /scratch/rpmbuild with subdirectories BUILD, RPMS, SOURCES, SPECS, and SRPMS.