How to get expiry date for yum repo signing keys

Jon Reeves asked:

I recently had a package signing key expire preventing some automatic updates from installing so am now setting up monitoring to make sure we are alerted if this happens again.

On Debian systems I can use apt-key to show all the repo keys and their expiry dates (if any) but cannot find how to do the equivalent for yum on CentOS

I can get some key info using:

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'

But this does not show expiry dates – any idea how to extract this information?

My answer:


On Red Hat derived systems, the GPG keys are also stored in ASCII armor in the directory /etc/pki/rpm-gpg-keys. You can inspect any of the keys from there.

For example, on CentOS 8:

[[email protected] ~]# gpg /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2019-05-03 [SC]
      99DB70FAE1D7CE227FB6488205B555B38483C65D
uid           CentOS (CentOS Official Signing Key) <[email protected]>

You can use -v to see additional details, and you will need to do so on older versions of gpg. This example is from CentOS 7.

[[email protected] ~]# gpg -v /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 
Version: GnuPG v1.4.5 (GNU/Linux)
pub  4096R/F4A80EB5 2014-06-23 CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>
sig        F4A80EB5 2014-06-23   [selfsig]
gpg: armor header: 

Neither of these have expiry dates, but a key which has an expiry date or is already expired will show the expiry date.

Here is a key with an expiry date in the future:

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2020-01-21 [SC] [expires: 2032-01-18]
      D25402AB23709F67CDF72CBFB413ACAD6275F250
uid           EuroLinux 8 GPG RPM sign key <[email protected]>
sub   rsa2048 2020-01-21 [E] [expires: 2032-01-18]

And here is a key that already expired:

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2016-05-20 [SC] [expired: 2019-05-20]
      36EBEB08D346B0A85B58E140EE788F495250AEF3
uid           The UnitedRPMs Project (Key for UnitedRPMs infrastructure) <[email protected]>
sub   rsa2048 2016-05-20 [E] [expired: 2019-05-20]

An optional package distribution-gpg-keys contains GPG keys from a variety of different Linux distributions and repositories. When this package is installed, these keys are available in the directory /usr/share/distribution-gpg-keys.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.