What is a gpg key and why do i need it?
I get this nagging error when i install a fresh centos vps machine:
GPG key retrieval failed: [Errno 5] OSError: [Errno 2] No such file or directory: '/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL'
Asked
Active
Viewed 2,096 times
2
sysadmin1138
- 133,124
- 18
- 176
- 300
chrisjlee
- 1,005
- 2
- 13
- 21
1 Answers
4
A key like this is used to sign and verify the packages you are downloading to be sure they are legit.
If the error you describe happens you should be prompted to download a replacement set of keys from the net. If not you can do so by hand.
Strictly speaking these signatures are not necessary - you can still install software as you have seen - but the security of your system is significantly reduced without their use.
Tim Brigham
- 15,545
- 10
- 75
- 115
-
I don't know about significantly reduced. If you are retrieving the GPG key using from the same source over the same network as the package, it seems just as likely that someone could serve up an invalid key for you to download as they could the package. – Zoredache Feb 01 '12 at 18:47
-
@Zoredache - fair enough. My understanding is that the file is downloaded one time and cached, therefore unless the mirror was compromised at the time the new repo started use that would be detected. Sound right to you? – Tim Brigham Feb 01 '12 at 19:18
-
1Normally you would get your first key via the installation media, which you would have verified via some other method. The first key will then be used to verify any other keys. If you are talking about 3rd party repos, you would want to verify those using some other method. – Zoredache Feb 01 '12 at 19:21