Fedora

GPG keys used by Fedora Project

How does Fedora Project use GPG keys to sign packages

Each stable RPM package that is published by Fedora Project is signed with a GPG signature. By default, yum and the graphical update tools will verify these signatures and refuse to install any packages that are not signed or have bad signatures. You should always verify the signature of a package before you install it. These signatures ensure that the packages you install are what was produced by the Fedora Project and have not been altered (accidentally or maliciously) by any mirror or website that is providing the packages.

Packages that can be downloaded from koji build system do not contain signatures, so you should use them with caution. Similarly, bleeding-edge packages in Rawhide are not necessarily signed.

Importing keys

The keys are included in the fedora-release package, you can find them in the /etc/pki/rpm-gpg directory. Please note that not all keys in this directory are used by Fedora project -- some are used for signing Red Hat Enterprise Linux packages or are no longer used at all. If you use Red Hat Enterprise Linux packages, see https://www.redhat.com/security/team/key. The keys used by Fedora are enabled in the yum repository configuration, so you generally don't need to manually import them into the rpm database.

In addition to the fedora-release package and this web page, you can download the Fedora keys from a public key server, such as keys.gnupg.net.

For some repositories, such as repositories with stable and testing packages in default configuration, yum is able to find a proper key for the repository and asks the user for confirmation before importing the key if the key is not already imported into the rpm database.

You can always import a key into RPM's database by hand using the following command:

rpm --import PUBKEY ...

Refer to rpm manual for more information.

If you want to verify that the keys installed on your system match the keys listed here, you can use GnuPG to check that the fingerprint of the key matches. For example:

$ gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-11-primary
...
pub  4096R/D22E77F2 2009-01-19 Fedora (11) <fedora@fedoraproject.org>
      Key fingerprint = AEE4 0C04 E345 60A7 1F04  3D7C 1DC5 C758 D22E 77F2

Verifying a package

When using default configuration of yum package updating and installation tool in stable releases, signature of each package is verified before it is installed. Signature verification can be turned off and on globally or for specific repository with gpgcheck directive. Do not override the default setting of this directive unless you have a very good reason to do so.

If you do not use yum, you can check the signature of the package using the following command

rpm {-K|--checksig} PACKAGE_FILE ...

Currently used keys

RPM-GPG-KEY-fedora-11-primary

pub   4096R/D22E77F2 2009-01-19
      Key fingerprint = AEE4 0C04 E345 60A7 1F04  3D7C 1DC5 C758 D22E 77F2
uid                  Fedora (11) <fedora@fedoraproject.org>

• Download: Fedora Project
• Download: keys.gnupg.net

RPM-GPG-KEY-fedora-10-primary

pub   1024D/4EBFC273 2008-08-27
      Key fingerprint = 61A8 ABE0 91FF 9FBB F4B0  7709 BF22 6FCC 4EBF C273
uid                  Fedora (10) <fedora@fedoraproject.org>
sub   4096g/C1527A5F 2008-08-27

• Download: Fedora Project
• Download: keys.gnupg.net

RPM-GPG-KEY-fedora-test-10-primary

pub   1024D/0B86274E 2008-08-27
      Key fingerprint = C561 3076 7487 7FDF A36D  CA38 92A1 023D 0B86 274E
uid                  Fedora (10 testing) <fedora@fedoraproject.org>
sub   4096g/7645A8D9 2008-08-27

• Download: Fedora Project
• Download: keys.gnupg.net

RPM-GPG-KEY-fedora-8-and-9-primary

pub   1024D/6DF2196F 2008-08-27
      Key fingerprint = 4FFF 1F04 010D EDCA E203  591D 62AE C3DC 6DF2 196F
uid                  Fedora (8 and 9) <fedora@fedoraproject.org>
sub   4096g/9E198F60 2008-08-27

• Download: Fedora Project
• Download: keys.gnupg.net

RPM-GPG-KEY-fedora-test-8-and-9-primary

pub   1024D/DF9B0AE9 2008-08-27
      Key fingerprint = C0E7 128E 9072 96CA AE31  78A2 8E69 3B4D DF9B 0AE9
uid                  Fedora (8 and 9 testing) <fedora@fedoraproject.org>
sub   4096g/80E34F98 2008-08-27

• Download: Fedora Project
• Download: keys.gnupg.net

Obsolete keys

RPM-GPG-KEY-fedora

pub   1024D/4F2A6FD2 2003-10-27
      Key fingerprint = CAB4 4B99 6F27 744E 8612  7CDF B442 69D0 4F2A 6FD2
uid                  Fedora Project <fedora@redhat.com>
sub   1024g/FB939E34 2003-10-27

• Fedora Core (version 6 and earlier)
• Fedora (version 7, 8, and 9)
• Both GA and updates

Packages on installation media are signed with this key. The relevant yum repositories are fedora, fedora-updates for Fedora 7-9, and core and core-updates for Fedora Core (Version 6 and earlier). See http://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html for information on why this key is obsolete.

• Path: /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
• Download: keys.gnupg.net

RPM-GPG-KEY-fedora-test

pub   1024D/30C9ECF8 2003-10-27
      Key fingerprint = 3166 C14A AE72 30D9 3B7A  B2F6 DA84 CBD4 30C9 ECF8
uid                  Fedora Project (Test Software) <rawhide@redhat.com>

• Fedora (version 7 and newer) testing updates

If you participate in testing of the packages, this is the key you will use to verify the testing packages. This key signs the packages that are in fedora-testing repository. See http://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html for information on why this key is obsolete.

• Path: /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-test
• Download: keys.gnupg.net

RPM-GPG-KEY-fedora-extras

pub   1024D/1AC70CE6 2004-12-14
      Key fingerprint = 5389 DD00 C5BC 5168 12B4  3272 82ED 9504 1AC7 0CE6
uid                  Fedora Project <fedora-extras@fedoraproject.org>
uid                  Fedora Pre Extras Release <pre-extras@fedoraproject.org>
uid                  Fedora Project <fedora-extras@redhat.com>
sub   1024g/4E1A9D43 2004-12-14

• Fedora Extras (version 6 and earlier)

If you are using Fedora Extras with Fedora Core 6, use this package from extras repository. This key will no longer be used after Fedora Core 6 and Extras reach EOL (December 7th 2007). This key is not included in the fedora-release package in Fedora 7 and later releases.

• Path: /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-extras
• Download: keys.gnupg.net

RPM-GPG-KEY-legacy

pub   1024D/731002FA 2004-01-19
      Key fingerprint = D66D 121F 9784 5E7B 2757  8C46 108C 4512 7310 02FA
uid                  Fedora Legacy (http://www.fedoralegacy.org) <secnotice@fedoralegacy.org>
sub   2048g/D12E351D 2004-01-19

• Fedora Legacy

This key was used for packages that were released by Fedora Legacy project to update releases that reached their official EOL. The Fedora Legacy project no longer exists, so no this key will no longer be used to sign packages. This key is not included in the fedora-release package in Fedora 7 and later releases.

Copyright © 2009 Red Hat, Inc. and others. All Rights Reserved. For comments or queries, please contact us.

The Fedora Project is maintained and driven by the community and sponsored by Red Hat. This is a community maintained site. Red Hat is not responsible for content.

• Sponsors
• Legal
• Trademark Guidelines