RPM –import vs GPG –import

GPG keys are stored in the /etc/pki/rpm-gpg directory, as part of the CentOS 6/RHEL 6 install. Looking though the contents of this directory, files like RPM-GPG-KEY-CentOS-release exist. To actually use the key to verify packages, it must be imported.

The following command provides the contents of /etc/pki/rpm-gpg

ls /etc/pki/rpm-gpg | xargs -n1 basename

There are two seemingly independent methods to import the keys: one using gpg, the other rpm.

gpg --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

rpm version 4.1 supports the --import switch. A fresh basic install of CentOS 6.4 reveals version 4.8. For older versions of RPM, you'll need to use GPG for importing the key. Note that if you're using apt-get, you should import with GPG and RPM (if your RPM supports this, of course). apt-get uses the key from GPG for verifying repository files, whereas RPM may handle it internally for verifying package signatures.

Red Hat uses gpg and rpm interchangably. The online Red Hat documenation reads to [i]mport the key to the RPM database to allow RPM origin and integrity verification by running the gpg --import as root on all target systems: rpm --import EXAMPLE-RPM-GPG-KEY

However, as mentioned before, these seem independent of one another. If the keys were imported using only gpg.

gpg --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
gpg: key C105B9DE: public key "CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

Verify the import using gpg

gpg -k
pub 4096R/C105B9DE 2011-07-03 [expires: 2021-06-30]
uid CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>

Verify the import using rpm, returns nothing.

rpm -qa gpg-pubkey


rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
package gpg-pubkey is not installed

Now after removing the gpg key with the following command:

gpg --delete-keys CentOS-6 Key

Then installing the key using rpm, verifying the key with gpg and rpm results.

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
gpg -k
[rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
gpg(CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>)
rpm -qa gpg-pubkey

Remove the key using rpm

rpm -e --allmatches gpg-pubkey

Digital signatures cannot be verified without a public key. An ASCII
armored public key can be added to the rpm database using --import. An
imported public key is carried in a header, and key ring management is
performed exactly like package management. For example, all currently
imported public keys can be displayed by:

rpm -qa gpg-pubkey*

A quick test. A system with no gpg or rpm keys imported, attempting to install tree, with the following command. yum install tree
The result

yum install tree
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID c105b9de: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Importing GPG key 0xC105B9DE:
Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>
Package: centos-release-6-4.el6.centos.10.x86_64 (@anaconda-CentOS-201303020151.x86_64/6.4)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Is this ok [y/N]: 

When importing only the gpg, key, and attempting the same command yum install tree. The result is the same.
Remove the gpg key. Install the key using rpm. Then execute yum install tree. The prompt is not there!

Alternately, using the command yum install -y tree, will automatically install the key.

Conclusion: Both methods seem to work. According to one source both methods may be required for apt-get, however for CentOS users, yum is used so both methods are not required. Since the RHCSA book printed in 2011 uses rpm not gpg for importing keys, I am leaning towards that method. Alternately, will likely not import any keys and allow the yum install process import the keys as needed. Yes, I am making the assumption that gpg-check is enabled.

Jang, Michael, and Peter Hancik. RHCSA / Exams (EX200 & EX300). New York: McGraw-Hill, 2011. Print.
man rpm