Importing of GPG-Keys


On 2008-01-23 openSUSE-Project decided to use separate keys for each project instead of one common key that was used until then. The respective key is delivered with the first update of a project, so that every user must import the keys by and by. Depending on the number of keys, this may be a tedious work ;-)

Bernhard Walle, member of openSUSE project team, has written an import script (in Python), that is available via This script searches the repositories you have defined in smart, and if they are on, the respective key is fetched.

First all repositories are collected, then the respective keys are searched, and in a third step the keys are imported. I had the problem that one repo had no key, so the script hit the wall. Since I did not succeed in modifying Bernhard's script, I wrote a shellscript to do this task:

The script

# the base URL we search on
# new: use more than one base URL for your repositories:
for SOS_URL in $URLLIST; do
  SOS_LEN=$(expr length "$SOS_URL")
  # only URLs containing $SOS_URL please:
  URLLIST=$(smart channel --show | grep ^baseurl | cut -d' ' -f 3 | grep "$SOS_URL" | sort)
  for URL in $URLLIST; do
    # make sure we have a trailing slash
    echo "$URL" | grep \/$ >/dev/null 2>&1 || URL="$URL/"
    # inside the directory should be a .repo file
    # so we try to find its name
    # substring handling is somewhat #+@%$&# in bash...
    URLAST=$(echo "$URLAST" | rev | cut -d'/' -f 3- | rev | tr -d '/')
    # ...finally...
    rm -f "$TEMPREPO"
    wget -q "${URL}${URLAST}.repo" -O "$TEMPREPO" 2>&1 >/dev/null
    # REPO file exists and is not zero sized?
    if [ ! -f "$TEMPREPO" -o ! -s "$TEMPREPO" ]; then
      echo "Error getting REPO file for $URLAST from $URL"
    # now we read the URL of the keyfile from the repo file
    KEYURL=$(grep ^gpgkey "$TEMPREPO" | cut -d'=' -f 2)
    if [ -z "$KEYURL" ]; then
      echo "No key for $URLAST detected"
    # download it...
    rm -f "$TEMPKEY"
    wget -q "$KEYURL" -O "$TEMPKEY" 2>&1 >/dev/null
    if [ ! -f "$TEMPKEY" ]; then
      echo "Error getting keyfile $KEYURL for $URLAST"
    # identify it, maybe it is already there
    KEYID=$(gpg "$TEMPKEY" | cut -d'/' -f 2 | cut -d' ' -f 1 | tr 'A-Z' 'a-z')
    INSTALLEDKEYS=$(LANG=C rpm -q "gpg-pubkey-$KEYID" 2>/dev/null)
    echo $INSTALLEDKEYS | grep 'is not installed' >/dev/null 2>&1 && DOINSTALL=1
    # so, at the very end, import it - or not :-)
    if [ $DOINSTALL -eq 1 ]; then
      echo "Importing key $KEYID for $URLAST"
      rpm --import "$TEMPKEY"
      # if you use apt in parallel, you will love the next line ;-)
      gpg --import "$TEMPKEY"
      echo "Key $KEYID for $URLAST already imported"


The script asks smart for all repositories (whether they are diabled or not), then checks them for (one may change the SOS_URL to, or to, it will also work). Other than Bernhard's script, I check the URLs sequentially for a key and import it (if it is not already there); I do not import them all together. But of course, all the tricks are shamelessly stolen from his script ;-)

# smart channel --show | grep ^baseurl | grep | wc -l

It works for me with 392 repositories :-)

This page is available in deutsch also.

users/werner/getrepokeys_en.txt · Zuletzt geändert: 2008-04-18 0734 von werner

Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki