If you want to enable GPG signature checks enabled in your yum clients, please make sure to specify the GPG public Key URL from the upstream repository in your yum client configuration.
Below snippet is a mirror for the ElasticSearch repository, using rpm remote repository mysearchrpm with the upstream URL as "https://artifacts.elastic.co/packages/8.x/yum".
Based on the elasticsearch document here, we need to add the repository to the yum repo configuration /etc/yum.repos.d/artifactory.repo as follows.
Here, gpgcheck=1 is set to verify the packages and repo_gpgcheck=1 is set to verify the metadata from the repository. Since both the packages and metadata are signed using the same key, you can specify that GPGkey URL in the repo configuration as above. Since the GPGKeys are not already imported to the yum repository, it will ask for confirmation.
Sample snippet of downloading a package from the Artifactory Elasticsearch repo:
Alternatively, you can download the package and import GPG Key or you can directly import the GPG key from the upstream URL using the command below.
For Example:
gpgcheck=1 gpgKey=<URL to GPG public key>
Below snippet is a mirror for the ElasticSearch repository, using rpm remote repository mysearchrpm with the upstream URL as "https://artifacts.elastic.co/packages/8.x/yum".
Based on the elasticsearch document here, we need to add the repository to the yum repo configuration /etc/yum.repos.d/artifactory.repo as follows.
[Artifactory] name=Artifactory baseurl=http://username:password_encoded@ARTIFACTORY_HOST:8081/artifactory/mysearchrpm/ enabled=1 gpgcheck=1 #Optional - if you have GPG signing keys installed, use the below flags to verify the repository metadata signature: gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch repo_gpgcheck=1
Here, gpgcheck=1 is set to verify the packages and repo_gpgcheck=1 is set to verify the metadata from the repository. Since both the packages and metadata are signed using the same key, you can specify that GPGkey URL in the repo configuration as above. Since the GPGKeys are not already imported to the yum repository, it will ask for confirmation.
Sample snippet of downloading a package from the Artifactory Elasticsearch repo:
yum install filebeat --disablerepo="*" --enablerepo="Artifactory"
Alternatively, you can download the package and import GPG Key or you can directly import the GPG key from the upstream URL using the command below.
rpm --import <GPG_KEY_PATH>/<GPG_KEY_URL>
For Example:
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch