AlmaLinux 8, a popular open-source operating system built from the source code of Red Hat Enterprise Linux (RHEL), made a significant change in its GPG (GNU Privacy Guard) key infrastructure starting with AlmaLinux 8. The GPG key is used to verify the authenticity of packages, ensuring that they haven’t been tampered with.
Table of Contents
What Happened with the GPG Key in AlmaLinux 8?
The change in the GPG key usually relates to a key rotation or an upgrade in the cryptographic methods used to sign the packages for security reasons. AlmaLinux periodically updates its signing keys, and if you’re running AlmaLinux 8 and need to update or import the new GPG key, you’ll need to follow specific instructions.
Updating the GPG Key
To update or import the new GPG key, you can follow these steps:
Check for the Current GPG Key: Run the following command to list all the GPG keys that are currently installed:
rpm -qa gpg-pubkeyDownload and Import the New AlmaLinux GPG Key: If you want to make sure your system already includes and trusts new AlmaLinux 8 GPG key you can just import it
rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinuxThis command downloads and imports new AlmaLinux 8 GPG key to rpm database if it’s not there yet or does nothing if it’s already trusted. No more action required.
How to check your system and import new key
The new GPG key is included in the almalinux-release package version 8.8-3.el8 (released Oct 16, 2023) or higher. To see if your system already trusts the new AlmaLinux 8 GPG key you can run the following:
rpm -q gpg-pubkey-ced7258b-6525146fIf the new GPG key is already trusted, you will see the following message, and no further action is necessary:
gpg-pubkey-ced7258b-6525146fIf the GPG key is not trusted, you will see the following error:
package gpg-pubkey-ced7258b-6525146f is not installedIn this case we recommended that you import the new AlmaLinux 8 GPG key to the rpm database:
rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinuxConclusion
AlmaLinux 8 GPG key change is a routine security measure to ensure the integrity and authenticity of its packages. By updating the GPG key, AlmaLinux strengthens the cryptographic protection of its software distribution. Users should download and import the new GPG key, remove any outdated keys, and update their system to continue receiving verified packages securely. This process is critical for maintaining system security and trust in the open-source ecosystem.