Search code examples
linuxdigital-signaturerpmpgpgnupg

Is there a way to get an installed RPM's signature Key ID programatically?

As displayed by rpm -qi package?

I don't really want to parse the output of rpm -qi. I'd much rather use rpm -q --qf, of which I can control the format and is not subjected to a future version's aesthetic whims.

But the only useful tag I can find in the man page is SIGPGP, which gets me the entire signature, not only the short key id. See the difference:

$ rpm -qi coreutils
Name        : coreutils                    Relocations: (not relocatable)
Version     : 8.4                               Vendor: Fedora Project
Release     : 8.fc13                        Build Date: Tue 20 Jul 2010 05:21:15 AM BRT
Install Date: Tue 03 Aug 2010 01:58:53 PM BRT      Build Host: x86-17.phx2.fedoraproject.org
Group       : System Environment/Base       Source RPM: coreutils-8.4-8.fc13.src.rpm
Size        : 12659257                         License: GPLv3+
Signature   : RSA/SHA256, Tue 20 Jul 2010 03:14:09 PM BRT, Key ID 7edc6ad6e8e40fde
Packager    : Fedora Project
URL         : http://www.gnu.org/software/coreutils/
Summary     : A set of basic GNU tools commonly used in shell scripts
Description :
These are the GNU core utilities.  This package is the combination of
the old GNU fileutils, sh-utils, and textutils packages.

$ rpm -q --qf '%{NAME}\t%{VERSION}\t%{RELEASE}\t%{ARCH}\t%{EPOCH}\t%{SIGPGP}\n' coreutils
coreutils       8.4     8.fc13  i686    (none)  8902150305004c45e7717edc6ad6e8e40fde010824c50fff6af998d5b67a663e6c165bbb3ff888afbe0961b7a60bab3d9a1605b271bbfaccc2eda4bc121e7bc8300efa0208100eb0961c021db2f0be52d422d21c0906a3252df125454fd4886af63574ed729c1370f583c0d46e4a97ee007b72966d965eed1891aaacf296ba31cb44fb46a20c5b39031b79c4eff66948aa3e79090a5f1ce969d3319ebbd47ff38ef382c64c1d59ba5c4d40b3d31a02620bd26005910ca98b7115ac24a30c2198f194bebb2347041ea094be23f5af2e6bb397736e8aff0dd95b4ebd2301ce00663180bbcf214559c72bc74a902102cdb2485b60c78e90c07ed76ecc78d44fd2ec710eb59937e513a37383b5f79a9a1a3996b614a8c1dc81eb8bd468b24aeceac378ee2da659978b5ebe7ab8b52ddb9342e45b2aa5d7b46c40904b57fd6e5ecf26e651c0dce46edb65ef54d26b73fbe99ac5757648c2e509e00887bb1373d30202a30e978407d9db3426d1f468ed4f88f3b379b14ac74b98167860fa36adc0768d6f33958e17c08a896f5aadcb6b70ce2c104454ab4d5b2e6166de465905d8aac14d5257324d50d78e9dc0b3836adc0817eacf5cd026e53330afefe24c6ad549d29b46f9bef544abfa4a87c66fc64c5281b453f72b3c6e660098c856d18031abb725792788ca6061603046170bfdfffb7772ee55299a2f92c996cd140470dba1b99f3c8e5e4a4f7c159fd0fae3fd1854335615e577fb5d05f5
Solution

  • To answer the actual question, no, there is no way to directly query for the keyid. I ran into the same problem you're having and found someone actually created a bug report with redhat for a feature to request that feature be added.

    In the bug report, the responder says to use something like below:

    rpm -q --qf "%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none}|}| %{NVRA}\n" emacs | cut -d' ' -f11