DNF replaced Yum as Fedora's default package manager in Fedora 22. See man page yum2dnf for changes.
DNF's configuration file is /etc/dnf/dnf.conf. The man page dnf.conf has details.
Commands dnf and yum are symbolic links to (Python script) dnf-3:
-> file `which dnf` `which yum` `which dnf-3` /usr/bin/dnf: symbolic link to dnf-3 /usr/bin/yum: symbolic link to dnf-3 /usr/bin/dnf-3: Python script, ASCII text executable
To list the repositories that DNF consults:
=> dnf repolist ... repo id repo name status adobe-linux-x86_64 Adobe Systems Incorporated 3 *fedora Fedora 30 - x86_64 56,582 *fedora-modular Fedora Modular 30 - x86_64 135 *rpmfusion-free RPM Fusion for Fedora 30 - Free 616 *rpmfusion-free-updates RPM Fusion for Fedora 30 - Free - Updates 244 *updates Fedora 30 - x86_64 - Updates 11,603 *updates-modular Fedora Modular 30 - x86_64 - Updates 144 ...
By default, this report lists only enabled repositories; add option all or disabled to show disabled repositories, too.
For more information about a particular repository, say Fedora:
=> dnf repoinfo fedora Last metadata expiration check: 0:20:54 ago on Tue 20 Aug 2019 01:44:52 PM EDT. Repo-id : fedora Repo-name : Fedora 30 - x86_64 Repo-status : enabled Repo-revision: 1556236182 Repo-updated : Thu 25 Apr 2019 07:49:41 PM EDT Repo-pkgs : 56,582 Repo-size : 71 G Repo-metalink: https://mirrors.fedoraproject.org/metalink?repo=fedora-30&arch=x86_64 Updated : Tue 20 Aug 2019 01:44:51 PM EDT Repo-baseurl : rsync://mirrors.syringanetworks.net/fedora/linux/releases/30/Everything/x86_64/os/ : (105 more) Repo-expire : 604,800 second(s) (last: Tue 20 Aug 2019 01:44:51 PM EDT) Repo-filename: /etc/yum.repos.d/fedora.repo
DNF determines its repositories by examining the configuration files present under /etc/yum.repos.d:
=> ls /etc/yum.repos.d/ adobe-linux-x86_64.repo fedora-updates-testing-modular.repo fedora-cisco-openh264.repo fedora-updates-testing.repo fedora-modular.repo rpmfusion-free.repo fedora.repo rpmfusion-free-updates.repo fedora-updates-modular.repo rpmfusion-free-updates-testing.repo fedora-updates.repo
You can use DNF plugin config-manager (package dnf-plugins-core) to enable or disable an installed repository:
=> dnf config-manager --enable adobe-linux-x86_64 => dnf config-manager --disable adobe-linux-x86_64
You can also use config-manager to see all settings for a repository:
=> dnf config-manager --dump fedora ==================================== repo: fedora ==================================== [fedora] bandwidth = 0 baseurl = [] … type = rpm username = => dnf config-manager --dump fedora | wc -l 42
The Adobe repository provides the proprietary Adobe Flash Plugin for Firefox (package flash-plugin).
To add the Adobe repository:
=> rpm --install http://linuxdownload.adobe.com/adobe-release/adobe-release-x86_64-1.0-1.noarch.rpm warning: /var/tmp/rpm-tmp.suzhY5: Header V3 DSA/SHA1 Signature, key ID f6777c67: NOKEY => dnf repolist adobe* … repo id repo name status adobe-linux-x86_64 Adobe Systems Incorporated 3
Adobe signed this package (with key f6777c67), but the package itself contains the corresponding public key to be imported:
=> rpm --query --info adobe-release-x86_64 | grep Signature Signature : DSA/SHA1, Fri 01 Apr 2011 01:25:05 PM EDT, Key ID 3a69bd24f6777c67 => rpm --query gpg-pubkey-f6777c67 package gpg-pubkey-f6777c67 is not installed => rpm --query --list adobe-release-x86_64 /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux /etc/yum.repos.d/adobe-linux-x86_64.repo => gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux pub 1024D/F6777C67 2007-02-28 Adobe Systems Incorporated (Linux RPM Signing Key) <secure@adobe.com> Key fingerprint = 78A8 75E9 7F09 06BD 6355 73FA 3A69 BD24 F677 7C67
The above warning from rpm when installing adobe-linux-x86_64 reflects this chicken-and-egg conundrum. Adobe does not provide the fingerprint for its public key, so you cannot verify your copy. But you're stuck unless you accept the public key downloaded and unpacked above:
=> rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux => rpm --query -info gpg-pubkey-f6777c67 Name : gpg-pubkey Version : f6777c67 ... Summary : gpg(Adobe Systems Incorporated (Linux RPM Signing Key) <secure@adobe.com>) ...
To see the repository's packages:
=> dnf repoquery --repoid adobe-linux-x86_64 Last metadata expiration check: 0:42:24 ago on Tue 20 Aug 2019 01:44:50 PM EDT. adobe-release-x86_64-0:1.0-1.noarch flash-player-ppapi-0:32.0.0.238-release.x86_64 flash-plugin-0:32.0.0.238-release.x86_64
To remove Adobe's repository and public key:
=> rpm --erase adobe-release-x86_64 gpg-pubkey-f6777c67
Google's Chrome browser (package google-chrome-stable) has its own repository.
To add the Google repository, first download and verify Google's public key for Linux packages:
-> wget https://dl-ssl.google.com/linux/linux_signing_key.pub ... -> gpg --with-fingerprint linux_signing_key.pub pub 1024D/7FAC5991 2007-03-08 Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com> Key fingerprint = 4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991 ...
Check this fingerprint against the published fingerprint on Google's web page, above.
Next, import the verified key into RPM's keyring, and move the key's file into RPM's keyring directory:
-> rpm --import linux_signing_key.pub -> rpm --query --queryformat "%{name} %{summary}\n" gpg-pubkey-7fac5991 gpg(Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>) -> mv linux_signing_key.pub /etc/pki/rpm-gpg/RPM-GPG-KEY-google-linux
Finally, create a repo file for Yum:
-> cat <<EOF > /etc/yum.repos.d/google-chrome.repo [google-chrome] name=Google baseurl=http://dl.google.com/linux/chrome/rpm/stable/\$basearch enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-google-linux EOF
There's a variation which omits explicitly downloading and importing Google's signing key. This variation refers rpm to Google's server the first time rpm needs the key. Simply create the following repo file instead of the preceding version; it differs only in the last line:
-> cat <<EOF > /etc/yum.repos.d/google-chrome.repo [google-chrome] name=Google baseurl=http://dl.google.com/linux/chrome/rpm/stable/\$basearch enabled=1 gpgcheck=1 gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub EOF
When you have yum install Chrome for the first time, it will retrieve the key and ask for your approval to import it:
-> yum install google-chrome-stable ... Public key for google-chrome-stable-36.0.1985.143-1.x86_64.rpm is not installed ... Retrieving key from https://dl-ssl.google.com/linux/linux_signing_key.pub Importing GPG key 0x7FAC5991: Userid : "Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>>" Fingerprint: 4cca 1eaf 950c ee4a b839 76dc a040 830f 7fac 5991 From : https://dl-ssl.google.com/linux/linux_signing_key.pub Is this ok [y/N]: ...
To see the repository's packages:
-> repoquery --repoid google-chrome '*' google-chrome-beta-0:37.0.2062.68-1.x86_64 google-chrome-stable-0:36.0.1985.125-1.x86_64 google-chrome-unstable-0:38.0.2114.2-1.x86_64
To add the RPM Fusion free repository (package rpmfusion-free-release), first install the package, then verify the fingerprint of the installed signing key against the published fingerprint:
-> yum install --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm -> gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-20 pub 4096R/AE688223 2013-01-01 RPM Fusion free repository for Fedora (20) <rpmfusion-buildsys@lists.rpmfusion.org> Key fingerprint = 0017 DDFE FD13 2929 9D55 B1D3 963A 8848 AE68 8223
The package installs additional keys for Fedora 21 and 22; verify these as required.
-> ls --classify /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free* | grep --invert-match @ /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-20-primary /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-21-primary /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-22-primary
To install the RPM Fusion nonfree repository (package rpmfusion-nonfree-release), substitute "nonfree" for "free" above:
-> yum install --nogpgcheck http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm -> gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-20-primary pub 4096R/B5F29883 2013-01-01 RPM Fusion nonfree repository for Fedora (20) <rpmfusion-buildsys@lists.rpmfusion.org> Key fingerprint = A84D CF58 46CB 10B6 5C47 6C35 63C0 DE8C B5F2 9883
These repositories offer hundreds of packages:
-> yum repolist --disablerepo '*' --enablerepo rpmfusion-*free ... repo id ... repo name ... status rpmfusion-free/20/x86_64 ... RPM Fusion for Fedora 20 - Free ... 468 rpmfusion-nonfree/20/x86_64 ... RPM Fusion for Fedora 20 - Nonfree ... 203 repolist: 671
To tell RPM what tags you want a query to report, use option --queryformat. For example:
-> rpm --query --group "Applications/Databases" --queryformat "%{name}: %{summary}\n" | sort libdb-utils: Command line tools for managing Berkeley DB databases mariadb: A community developed branch of MySQL mariadb-libs: The shared libraries required for MariaDB/MySQL clients mariadb-server: The MariaDB server and related files sqlite: Library that implements an embeddable SQL database engine
To list the tags for --queryformat:
-> rpm --querytags ARCH .. XPM -> rpm --querytags | wc --lines 189
See section Query Options of the man page for details.
To list the RPM package groups:
-> rpm --query --all --queryformat "%{group}\n" | sort --unique Amusements/Graphics ... User Interface/X Hardware Support -> rpm --query --all --queryformat "%{group}\n" | sort --unique | wc --lines 31
RPM repositories sign their packages with a private key, and rpm uses corresponding public keys to verify downloaded packages. The local RPM database maintains its own keyring for the repositories rpm searches, and rpm itself is used to manage this keyring.
Fedora signs its packages with a private key specific to each release. For example:
-> rpm --query --group 'Applications/Databases' --queryformat "%-15{name} | %{SIGPGP:pgpsig}\n"; libdb-utils | RSA/SHA256, Wed 09 Oct 2013 11:51:06 PM EDT, Key ID 2eb161fa246110c1 sqlite | RSA/SHA256, Tue 10 Jun 2014 12:18:56 PM EDT, Key ID 2eb161fa246110c1 mariadb-libs | RSA/SHA256, Mon 30 Jun 2014 10:42:50 AM EDT, Key ID 2eb161fa246110c1 mariadb | RSA/SHA256, Mon 30 Jun 2014 10:43:08 AM EDT, Key ID 2eb161fa246110c1 mariadb-server | RSA/SHA256, Mon 30 Jun 2014 10:43:21 AM EDT, Key ID 2eb161fa246110c1
RPM verifies a package's signature against the corresponding public key stored under directory /etc/pki/rpm-gpg. The ID above corresponds to the primary key for Fedora 20:
-> gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-primary pub 4096R/246110C1 2013-05-16 Key fingerprint = C7C9 A9C8 9153 F201 83CE 7CBA 2EB1 61FA 2461 10C1 uid Fedora (20) <fedora@fedoraproject.org>
Other repositories likewise sign their packages and provide a public key for subsequent verification. Directory /etc/pki/rpm-gpg comprises RPM's own keyring. Each of its files holds the public key of a repository:
-> ls -1 --classify /etc/pki/rpm-gpg | grep --invert-match '@' # grep to drop symbolic links RPM-GPG-KEY-adobe-linux RPM-GPG-KEY-fedora-20-primary ... RPM-GPG-KEY-rpmfusion-nonfree-fedora-22-primary -> file --brief /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-primary PGP public key block
Several packages populate this keyring:
-> rpm --query --file /etc/pki/rpm-gpg/* | sort --unique adobe-release-x86_64-1.0-1.noarch fedora-release-20-3.noarch rpmfusion-free-release-20-1.noarch rpmfusion-nonfree-release-20-1.noarch
Package fedora-release-20-3, in particular, provides Fedora's keys:
-> rpm --query --file /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-primary fedora-release-20-3.noarch
To see the available GPG keys plus summaries:
-> rpm --query --group "Public Keys" --queryformat "%{name}-%{version}-%{release}: %{summary}\n" gpg-pubkey-ae688223-50e31483: gpg(RPM Fusion free repository for Fedora (20) ... gpg-pubkey-b5f29883-50e31701: gpg(RPM Fusion nonfree repository for Fedora (20) ... gpg-pubkey-246110c1-51954fca: gpg(Fedora (20) ... gpg-pubkey-f6777c67-45e5b1b9: gpg(Adobe Systems Incorporated (Linux RPM Signing Key) ...
To see the details of a particular key, for example:
-> rpm --query --info gpg-pubkey-f6777c67-45e5b1b9 Name : gpg-pubkey Version : f6777c67 Release : 45e5b1b9 ...
Public keys for RPM are stored as ASCII-armored metadata in an rpm file that is otherwise an empty package. For example:
-> rpm --query --list gpg-pubkey-246110c1-51954fca (contains no files) -> rpm --query --info gpg-pubkey-246110c1-51954fca Name : gpg-pubkey Version : 246110c1 Release : 51954fca ... -----BEGIN PGP PUBLIC KEY BLOCK----- Version: rpm-4.11.1 (NSS-3) mQINBFGVT8oBEADiEFecKV2eDgaIoK6O/+2UxTGYHpVJYHj7Jl2EGHZWJ3jaN2xD ... =EJ/7 -----END PGP PUBLIC KEY BLOCK-----
To remove a key:
-> rpm --erase gpg-pubkey-f6777c67-45e5b1b9 -> rpm --query gpg-pubkey-f6777c67-45e5b1b9 package gpg-pubkey-f6777c67-45e5b1b9 is not installed
Yum plugin package yum-plugin-keys adds commands keys, keys-info, keys-data, and keys-remove.
-> yum keys Loaded plugins: keys, langpacks, refresh-packagekit Key owner ... Key ID Fedora (20) ... 246110c1-51954fca RPM Fusion free repository for Fedora (20) ... ae688223-50e31483 RPM Fusion nonfree repository for Fedora (20) ... b5f29883-50e31701 keys done -> yum keys-info 246110c1-51954fca Loaded plugins: keys, langpacks, refresh-packagekit Type : GPG Rpm Key ID : 246110c1-51954fca Key owner : Fedora (20) ... Primary ID : Fedora (20) <fedora@fedoraproject.org> Algorithm : RSA (Encrypt or Sign) Fingerprint: c7c9 a9c8 9153 f201 83ce 7cba 2eb1 61fa 2461 10c1 Key ID : 2eb161fa246110c1
To remove a retired kernel package (should disk space get tight, for example):
-> rpm --query --group "System Environment/Kernel" | grep kernel kernel-3.15.6-200.fc20.x86_64 kernel-3.15.7-200.fc20.x86_64 kernel-3.15.8-200.fc20.x86_64 -> uname --kernel-release 3.15.8-200.fc20.x86_64 -> yum erase kernel-3.15.6-200.fc20.x86_64 ...
Install the RPM Developer tools package rpmdevtools (Developtment tools) to build the Linux kernel from Fedora source files. (Building requires qt-devel and libXi-devel too.) To configure (as ordinary user):
-> mkdir ~/scratch/rpmbuild -> cat > ~/.rpmmacros <<STOP %_topdir /home/ray/scratch/rpmbuild %_smp_mflags -j3 %__arch_install_post /usr/lib/rpm/check-rpaths /usr/lib/rpm/check-buildroot STOP -> rpmdev-setuptree
This will create directory ~/scratch/rpmbuild with required subdirectories:
-> ls ~/scratch/rpmbuild/ BUILD/ RPMS/ SOURCES/ SPECS/ SRPMS/
-> cd ~/scratch/rpmbuild -> dnf download --source p11-kit --downloaddir ./SRPMS enabling updates-source repository enabling fedora-source repository enabling rpmfusion-free-updates-source repository enabling rpmfusion-free-source repository enabling rpmfusion-nonfree-updates-source repository enabling rpmfusion-nonfree-source repository Last metadata expiration check: 0:07:09 ago on Sat 17 Feb 2018 12:57:07 PM EST. p11-kit-0.23.9-2.fc27.src.rpm 1.6 MB/s | 1.1 MB 00:00 -> ls SRPMS/ p11-kit-0.23.9-2.fc27.src.rpm -> rpmbuild -bp SPECS/p11-kit.spec error: Failed build dependencies: gtk-doc is needed by p11-kit-0.23.9-2.fc27.x86_64 libffi-devel is needed by p11-kit-0.23.9-2.fc27.x86_64 libtasn1-devel >= 2.3 is needed by p11-kit-0.23.9-2.fc27.x86_64