Prev: Cups Won't Print PDF, and Other Config | Next: How to Use the USB Video Capture Dongle |
(Index) |
On OpenSuSE, package signing keys are installed as pseudo-packages. But keys expire and get rolled over, so need to be purged. Which keys are actually used to sign packages? This is surprisingly hard to find out.
After a lot of digging, with a clue from
rpm --querytags
(which lists all the properties that an RPM package
might have), I found how to print the keyID by which a package was signed.
This script will produce a list of all packages with their keyIDs, followed
by a count of how many packages were signed by each key.
scr=/var/tmp/keyids.dat pkg=-a # Can be -a qfmt="%{NAME}-%{VERSION}-%{RELEASE}\t%{RSAHEADER:pgpsig}\n" rpm -q --queryformat "$qfmt" $pkg | awk '{print $NF, $1}' | sort | tee $scr echo "" awk '{print $1}' $scr | uniq -c
The last 8 hex digits of the keyID are used as part of the name of the
installed key pseudo=package. If you do rpm -qi gpg-pubkey-$keyID-$hash
,
it will show the name of the key's owner, the build date
when the key
was forged, and the content of the key, base64 encoded and with banner lines,
so you could install it on another host.
rpm -q gpg-pubkey
(or -qi) will list all installed keys, and you
can now identify keys that sign no packages, or that have signed packages
but which are not installed.
Prev: Cups Won't Print PDF, and Other Config | Next: How to Use the USB Video Capture Dongle |
(Index) |