CSUF LogoCSUF Site Navigation

F12 Hosting a Yum Repository GnuPG Key

Department of Electrical and Computer Engineering
Associate Professor Gregory R. Kriehn
F12 GnuPG Key

Before I built my Yum Repository, I had to create a GnuPG Key so that I could sign RPMs that were created to ensure their authenticity. Basically, GnuPG is a tool for secure communication:

GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate. GnuPG uses a somewhat more sophisticated scheme in which a user has a primary keypair and then zero or more additional subordinate keypairs. The primary and subordinate keypairs are bundled to facilitate key management and the bundle can often be considered simply as one keypair.

To create a GnuPG key pair, first create a hidden directory called .gnupg in your home directory:

~> cd ~/
~> mkdir .gnupg
Next, generate the key pair:
~> gpg --gen-key
This will lead to a selection screen with the following options:
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection?
Select the first option, since the others cannot be used for encryption.
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Select 2048 and hit enter (the default choice).
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Since I am planning on keeping my repository around for the foreseeable future, I do not want my key to expire. But be careful. If you choose a key that does not expire, and you want to change it later, you will first have to revoke the key and it may be difficult to communicate a change to users who have your public key. In my case, I hit '0' and Enter.
Key does not expire at all
Is this correct? (y/N)
To verify, press 'y' and Enter. Then Enter your name, e-mail address, and a comment:
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Dr. Gregory R. Kriehn
Email address: gkriehn@csufresno.edu
Comment: Professor Kriehn
Press 'O' to continue:
You selected this USER-ID:
    "Dr. Gregory R. Kriehn (Professor Kriehn) <gkriehn@csufresno.edu>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
Then you will have to choose a passphrase to protect your key. Be sure to use a strong password. From the perspective of security, the passphrase to unlock the private key is one of the weakest points in GnuPG (and other public-key encryption systems as well) since it is the only protection you have if another individual gets your private key. Ideally, the passphrase should not use words from a dictionary and should mix the case of alphabetic characters as well as use non-alphabetic characters. A good passphrase is crucial to the secure use of GnuPG.

NOTE:  Forgetting your passphrase will result in your key being useless. Remember this passphrase carefully, there is no way to recover it when it's lost. After you type your passphrase twice, the key will be generated.

Enter passphrse:
Repeat passphrase:
Please follow the instructions on the screen till you reach a screen similar to the one below.
gpg: key F8F5F58A marked as ultimately trusted
public and secret key created and signed.

pub   1024D/F8F5F58A 2007-12-05
      Key fingerprint = B4FD 3733 1E43 1007 44BA  D909 AEDB DBFC F8F5 F58A
uid                  Dr. Gregory R. Kriehn (Professor Kriehn) <gkriehn@csufresno.edu>
sub   2048g/333255A3 2007-12-05
In my case, the key-id is F8F5F58A (yours will be different).

It's probably a good idea to set this key as default in your .bashrc file, so that applications using GPG can automatically use your key. Do this by entering the line below in your ~/.bashrc file. Please note that will be sourced only during your next session, unless you source it manually.

export GPGKEY=F8F5F58A
Then source your ~/.bashrc file:
~> source ~/.bashrc
Finally, export your public key and save it as a text file. In my case, I executed the following:
~> gpg --export --armor --comment "Professor Kriehn's GnuPG Key" --comment "http://optics.csufresno.edu/" > RPM-GPG-KEY-kriehn
Your GnuPG key is now ready for use.