Re: public keys

On Fri, Nov 20, 2020 at 1:12 AM Josserand, Jesse F (NE) <
Jesse(dot)Josserand(at)gdit(dot)com> wrote:

> I’m trying to do a cold yum install of postgresql 12 rpm’s, but do not
> want to use '--nogpgcheck' when doing so.
>
> Where can I get the public keys?
>
> <https://www.teksynap.com/teksynap_signatures/Jesse_Josserand/?vcard=1>
>
>
>
>
>

I don't know what you mean by a "cold" install.

The keys are packaged in the repo-rpms.

$ rpm -ql pgdg-fedora-repo
/etc/pki/rpm-gpg
/etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG
/etc/yum.repos.d/pgdg-fedora-all.repo

They're also available from the repository itself:

https://download.postgresql.org/pub/repos/yum/

The key you want is:

$ gpg --fingerprint 1F16D2E1442DF0F8
pub dsa1024 2008-01-08 [SCA]
68C9 E2B9 1A37 D136 FE74 D176 1F16 D2E1 442D F0F8
uid [ unknown] PostgreSQL RPM Building Project <
pgsqlrpms-hackers(at)pgfoundry(dot)org>
sub elg2048 2008-01-08 [E]

It should probably be published prominently on yum.postgresql.org by key-id
and fingerprint, so it can be verified somewhat independently of the actual
download repos, but AFAICS (
https://www.google.com/search?q=site%3Ayum.postgresql.org+1F16D2E1442DF0F8
) it is not.

so consider filing an issue for that:

https://redmine.postgresql.org/projects/pgrpms/

I also note that nobody's signed the key to attest its validity on the
keyservers. That's not necessarily required for rpms, but might be a good
idea. When I get a chance to verify it with Devrim via a side channel I'll
sign it and push my signature.