Which Package Signing Keys Do I Need?

Symptom:

On OpenSuSE, package signing keys are installed as pseudo-packages. But keys expire and get rolled over, so need to be purged. Which keys are actually used to sign packages? This is surprisingly hard to find out.

How to fix:

After a lot of digging, with a clue from rpm --querytags (which lists all the properties that an RPM package might have), I found how to print the keyID by which a package was signed. This script will produce a list of all packages with their keyIDs, followed by a count of how many packages were signed by each key.

scr=/var/tmp/keyids.dat
pkg=-a  # Can be -a
qfmt="%{NAME}-%{VERSION}-%{RELEASE}\t%{RSAHEADER:pgpsig}\n"
rpm -q --queryformat "$qfmt" $pkg | awk '{print $NF, $1}' | sort | tee $scr
echo ""
awk '{print $1}' $scr | uniq -c 

The last 8 hex digits of the keyID are used as part of the name of the installed key pseudo=package. If you do rpm -qi gpg-pubkey-$keyID-$hash, it will show the name of the key's owner, the build date when the key was forged, and the content of the key, base64 encoded and with banner lines, so you could install it on another host.

rpm -q gpg-pubkey (or -qi) will list all installed keys, and you can now identify keys that sign no packages, or that have signed packages but which are not installed.