DNF & RPM (& Yum)

DNF Miscellany

DNF replaced Yum as Fedora's default package manager in Fedora 22. See man page yum2dnf for changes.

DNF's configuration file is /etc/dnf/dnf.conf. The man page dnf.conf has details.

Commands dnf and yum are symbolic links to (Python script) dnf-3:

-> file `which dnf` `which yum` `which dnf-3`
/usr/bin/dnf:   symbolic link to dnf-3
/usr/bin/yum:   symbolic link to dnf-3
/usr/bin/dnf-3: Python script, ASCII text executable

DNF Repositories

To list the repositories that DNF consults:

=> dnf repolist
...
repo id                     repo name                                     status
adobe-linux-x86_64          Adobe Systems Incorporated                         3
*fedora                     Fedora 30 - x86_64                            56,582
*fedora-modular             Fedora Modular 30 - x86_64                       135
*rpmfusion-free             RPM Fusion for Fedora 30 - Free                  616
*rpmfusion-free-updates     RPM Fusion for Fedora 30 - Free - Updates        244
*updates                    Fedora 30 - x86_64 - Updates                  11,603
*updates-modular            Fedora Modular 30 - x86_64 - Updates             144
...

By default, this report lists only enabled repositories; add option all or disabled to show disabled repositories, too.

For more information about a particular repository, say Fedora:

=> dnf repoinfo fedora
Last metadata expiration check: 0:20:54 ago on Tue 20 Aug 2019 01:44:52 PM EDT.

Repo-id      : fedora
Repo-name    : Fedora 30 - x86_64
Repo-status  : enabled
Repo-revision: 1556236182
Repo-updated : Thu 25 Apr 2019 07:49:41 PM EDT
Repo-pkgs    : 56,582
Repo-size    : 71 G
Repo-metalink: https://mirrors.fedoraproject.org/metalink?repo=fedora-30&arch=x86_64
  Updated    : Tue 20 Aug 2019 01:44:51 PM EDT
Repo-baseurl : rsync://mirrors.syringanetworks.net/fedora/linux/releases/30/Everything/x86_64/os/
             : (105 more)
Repo-expire  : 604,800 second(s) (last: Tue 20 Aug 2019 01:44:51 PM EDT)
Repo-filename: /etc/yum.repos.d/fedora.repo

DNF determines its repositories by examining the configuration files present under /etc/yum.repos.d:

=> ls /etc/yum.repos.d/
adobe-linux-x86_64.repo      fedora-updates-testing-modular.repo
fedora-cisco-openh264.repo   fedora-updates-testing.repo
fedora-modular.repo          rpmfusion-free.repo
fedora.repo                  rpmfusion-free-updates.repo
fedora-updates-modular.repo  rpmfusion-free-updates-testing.repo
fedora-updates.repo

You can use DNF plugin config-manager (package dnf-plugins-core) to enable or disable an installed repository:

=> dnf config-manager --enable  adobe-linux-x86_64
=> dnf config-manager --disable adobe-linux-x86_64

You can also use config-manager to see all settings for a repository:

=> dnf config-manager --dump fedora
==================================== repo: fedora ====================================
[fedora]
bandwidth = 0
baseurl = []
…
type = rpm
username = 
=> dnf config-manager --dump fedora | wc -l
42

Adobe Repository

The Adobe repository provides the proprietary Adobe Flash Plugin for Firefox (package flash-plugin).

To add the Adobe repository:

=> rpm --install http://linuxdownload.adobe.com/adobe-release/adobe-release-x86_64-1.0-1.noarch.rpm
warning: /var/tmp/rpm-tmp.suzhY5: Header V3 DSA/SHA1 Signature, key ID f6777c67: NOKEY
=> dnf repolist adobe*
…
repo id                             repo name                                   status
adobe-linux-x86_64                  Adobe Systems Incorporated                  3

Adobe signed this package (with key f6777c67), but the package itself contains the corresponding public key to be imported:

=> rpm --query --info adobe-release-x86_64 | grep Signature
Signature   : DSA/SHA1, Fri 01 Apr 2011 01:25:05 PM EDT, Key ID 3a69bd24f6777c67
=> rpm --query gpg-pubkey-f6777c67
package gpg-pubkey-f6777c67 is not installed
=> rpm --query --list adobe-release-x86_64
/etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
/etc/yum.repos.d/adobe-linux-x86_64.repo
=> gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
pub  1024D/F6777C67 2007-02-28 Adobe Systems Incorporated (Linux RPM Signing Key) <secure@adobe.com>
      Key fingerprint = 78A8 75E9 7F09 06BD 6355  73FA 3A69 BD24 F677 7C67

The above warning from rpm when installing adobe-linux-x86_64 reflects this chicken-and-egg conundrum. Adobe does not provide the fingerprint for its public key, so you cannot verify your copy. But you're stuck unless you accept the public key downloaded and unpacked above:

=> rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
=> rpm --query -info gpg-pubkey-f6777c67
Name        : gpg-pubkey
Version     : f6777c67
...
Summary     : gpg(Adobe Systems Incorporated (Linux RPM Signing Key) <secure@adobe.com>)
...

To see the repository's packages:

=> dnf repoquery --repoid adobe-linux-x86_64 
Last metadata expiration check: 0:42:24 ago on Tue 20 Aug 2019 01:44:50 PM EDT.
adobe-release-x86_64-0:1.0-1.noarch
flash-player-ppapi-0:32.0.0.238-release.x86_64
flash-plugin-0:32.0.0.238-release.x86_64

To remove Adobe's repository and public key:

=> rpm --erase adobe-release-x86_64 gpg-pubkey-f6777c67

Google Repository

Google's Chrome browser (package google-chrome-stable) has its own repository.

To add the Google repository, first download and verify Google's public key for Linux packages:

-> wget https://dl-ssl.google.com/linux/linux_signing_key.pub
...
-> gpg --with-fingerprint linux_signing_key.pub
pub  1024D/7FAC5991 2007-03-08 Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
      Key fingerprint = 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
...

Check this fingerprint against the published fingerprint on Google's web page, above.

Next, import the verified key into RPM's keyring, and move the key's file into RPM's keyring directory:

-> rpm --import linux_signing_key.pub
-> rpm --query --queryformat "%{name} %{summary}\n" gpg-pubkey-7fac5991
gpg(Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>)
-> mv linux_signing_key.pub /etc/pki/rpm-gpg/RPM-GPG-KEY-google-linux

Finally, create a repo file for Yum:

-> cat <<EOF > /etc/yum.repos.d/google-chrome.repo
[google-chrome]
name=Google
baseurl=http://dl.google.com/linux/chrome/rpm/stable/\$basearch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-google-linux
EOF

There's a variation which omits explicitly downloading and importing Google's signing key. This variation refers rpm to Google's server the first time rpm needs the key. Simply create the following repo file instead of the preceding version; it differs only in the last line:

-> cat <<EOF > /etc/yum.repos.d/google-chrome.repo
[google-chrome]
name=Google
baseurl=http://dl.google.com/linux/chrome/rpm/stable/\$basearch
enabled=1
gpgcheck=1
gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub 
EOF

When you have yum install Chrome for the first time, it will retrieve the key and ask for your approval to import it:

->  yum install google-chrome-stable
...
Public key for google-chrome-stable-36.0.1985.143-1.x86_64.rpm is not installed
...
Retrieving key from https://dl-ssl.google.com/linux/linux_signing_key.pub
Importing GPG key 0x7FAC5991:
 Userid     : "Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>>"
 Fingerprint: 4cca 1eaf 950c ee4a b839 76dc a040 830f 7fac 5991
 From       : https://dl-ssl.google.com/linux/linux_signing_key.pub
Is this ok [y/N]: ...

To see the repository's packages:

-> repoquery --repoid google-chrome '*'
google-chrome-beta-0:37.0.2062.68-1.x86_64
google-chrome-stable-0:36.0.1985.125-1.x86_64
google-chrome-unstable-0:38.0.2114.2-1.x86_64

RPM Fusion Repositories

To add the RPM Fusion free repository (package rpmfusion-free-release), first install the package, then verify the fingerprint of the installed signing key against the published fingerprint:

-> yum install --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm 
-> gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-20
pub  4096R/AE688223 2013-01-01 RPM Fusion free repository for Fedora (20) <rpmfusion-buildsys@lists.rpmfusion.org>
     Key fingerprint = 0017 DDFE FD13 2929 9D55  B1D3 963A 8848 AE68 8223

The package installs additional keys for Fedora 21 and 22; verify these as required.

-> ls --classify /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free* | grep --invert-match @
/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-20-primary
/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-21-primary
/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-22-primary

To install the RPM Fusion nonfree repository (package rpmfusion-nonfree-release), substitute "nonfree" for "free" above:

-> yum install --nogpgcheck http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm 
-> gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-20-primary
pub  4096R/B5F29883 2013-01-01 RPM Fusion nonfree repository for Fedora (20) <rpmfusion-buildsys@lists.rpmfusion.org>
      Key fingerprint = A84D CF58 46CB 10B6 5C47  6C35 63C0 DE8C B5F2 9883

These repositories offer hundreds of packages:

-> yum repolist --disablerepo '*' --enablerepo rpmfusion-*free
...
repo id                     ... repo name                          ... status
rpmfusion-free/20/x86_64    ... RPM Fusion for Fedora 20 - Free    ... 468
rpmfusion-nonfree/20/x86_64 ... RPM Fusion for Fedora 20 - Nonfree ... 203
repolist: 671

RPM Queries

To tell RPM what tags you want a query to report, use option --queryformat. For example:

-> rpm --query --group "Applications/Databases" --queryformat "%{name}: %{summary}\n" | sort
libdb-utils: Command line tools for managing Berkeley DB databases
mariadb: A community developed branch of MySQL
mariadb-libs: The shared libraries required for MariaDB/MySQL clients
mariadb-server: The MariaDB server and related files
sqlite: Library that implements an embeddable SQL database engine

To list the tags for --queryformat:

-> rpm --querytags
ARCH
..
XPM
-> rpm --querytags | wc --lines
189

See section Query Options of the man page for details.

To list the RPM package groups:

-> rpm --query --all --queryformat "%{group}\n" | sort --unique
Amusements/Graphics
...
User Interface/X Hardware Support
-> rpm --query --all --queryformat "%{group}\n" | sort --unique | wc --lines
31

Package Signatures

RPM repositories sign their packages with a private key, and rpm uses corresponding public keys to verify downloaded packages. The local RPM database maintains its own keyring for the repositories rpm searches, and rpm itself is used to manage this keyring.

Fedora signs its packages with a private key specific to each release. For example:

-> rpm --query --group 'Applications/Databases' --queryformat "%-15{name} | %{SIGPGP:pgpsig}\n";
libdb-utils     | RSA/SHA256, Wed 09 Oct 2013 11:51:06 PM EDT, Key ID 2eb161fa246110c1
sqlite          | RSA/SHA256, Tue 10 Jun 2014 12:18:56 PM EDT, Key ID 2eb161fa246110c1
mariadb-libs    | RSA/SHA256, Mon 30 Jun 2014 10:42:50 AM EDT, Key ID 2eb161fa246110c1
mariadb         | RSA/SHA256, Mon 30 Jun 2014 10:43:08 AM EDT, Key ID 2eb161fa246110c1
mariadb-server  | RSA/SHA256, Mon 30 Jun 2014 10:43:21 AM EDT, Key ID 2eb161fa246110c1

RPM verifies a package's signature against the corresponding public key stored under directory /etc/pki/rpm-gpg. The ID above corresponds to the primary key for Fedora 20:

-> gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-primary
pub  4096R/246110C1 2013-05-16
      Key fingerprint = C7C9 A9C8 9153 F201 83CE  7CBA 2EB1 61FA 2461 10C1
uid                            Fedora (20) <fedora@fedoraproject.org>

Other repositories likewise sign their packages and provide a public key for subsequent verification. Directory /etc/pki/rpm-gpg comprises RPM's own keyring. Each of its files holds the public key of a repository:

-> ls -1 --classify /etc/pki/rpm-gpg | grep --invert-match '@' # grep to drop symbolic links
RPM-GPG-KEY-adobe-linux
RPM-GPG-KEY-fedora-20-primary
...
RPM-GPG-KEY-rpmfusion-nonfree-fedora-22-primary
-> file --brief /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-primary 
PGP public key block

Several packages populate this keyring:

-> rpm --query --file /etc/pki/rpm-gpg/* | sort --unique
adobe-release-x86_64-1.0-1.noarch
fedora-release-20-3.noarch
rpmfusion-free-release-20-1.noarch
rpmfusion-nonfree-release-20-1.noarch

Package fedora-release-20-3, in particular, provides Fedora's keys:

-> rpm --query --file /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-20-primary
fedora-release-20-3.noarch

To see the available GPG keys plus summaries:

-> rpm --query --group "Public Keys" --queryformat "%{name}-%{version}-%{release}: %{summary}\n"
gpg-pubkey-ae688223-50e31483: gpg(RPM Fusion free repository for Fedora (20) ...
gpg-pubkey-b5f29883-50e31701: gpg(RPM Fusion nonfree repository for Fedora (20) ...
gpg-pubkey-246110c1-51954fca: gpg(Fedora (20) ...
gpg-pubkey-f6777c67-45e5b1b9: gpg(Adobe Systems Incorporated (Linux RPM Signing Key) ...

To see the details of a particular key, for example:

-> rpm --query --info gpg-pubkey-f6777c67-45e5b1b9
Name        : gpg-pubkey
Version     : f6777c67
Release     : 45e5b1b9
...

Public keys for RPM are stored as ASCII-armored metadata in an rpm file that is otherwise an empty package. For example:

-> rpm --query --list gpg-pubkey-246110c1-51954fca
(contains no files)
-> rpm --query --info gpg-pubkey-246110c1-51954fca
Name        : gpg-pubkey
Version     : 246110c1
Release     : 51954fca
...
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.11.1 (NSS-3)

mQINBFGVT8oBEADiEFecKV2eDgaIoK6O/+2UxTGYHpVJYHj7Jl2EGHZWJ3jaN2xD
...
=EJ/7
-----END PGP PUBLIC KEY BLOCK-----

To remove a key:

-> rpm --erase gpg-pubkey-f6777c67-45e5b1b9
-> rpm --query gpg-pubkey-f6777c67-45e5b1b9
package gpg-pubkey-f6777c67-45e5b1b9 is not installed

Yum plugin package yum-plugin-keys adds commands keys, keys-info, keys-data, and keys-remove.

-> yum keys 
Loaded plugins: keys, langpacks, refresh-packagekit
Key owner                                      ...  Key ID
Fedora (20)                                    ...  246110c1-51954fca
RPM Fusion free repository for Fedora (20)     ...  ae688223-50e31483
RPM Fusion nonfree repository for Fedora (20)  ...  b5f29883-50e31701
keys done
-> yum keys-info 246110c1-51954fca
Loaded plugins: keys, langpacks, refresh-packagekit
Type       : GPG
Rpm Key ID : 246110c1-51954fca
Key owner  : Fedora (20) 
...
Primary ID : Fedora (20) <fedora@fedoraproject.org>
Algorithm  : RSA (Encrypt or Sign)
Fingerprint: c7c9 a9c8 9153 f201 83ce 7cba 2eb1 61fa 2461 10c1
Key ID     : 2eb161fa246110c1

Removing a Kernel Package

To remove a retired kernel package (should disk space get tight, for example):

-> rpm --query --group "System Environment/Kernel" | grep kernel
kernel-3.15.6-200.fc20.x86_64
kernel-3.15.7-200.fc20.x86_64
kernel-3.15.8-200.fc20.x86_64
-> uname --kernel-release
3.15.8-200.fc20.x86_64
-> yum erase kernel-3.15.6-200.fc20.x86_64
...

RPM Developer Tools

rpmdevtools rpm-build

Install the RPM Developer tools package rpmdevtools (Developtment tools) to build the Linux kernel from Fedora source files. (Building requires qt-devel and libXi-devel too.) To configure (as ordinary user):

-> mkdir ~/scratch/rpmbuild
-> cat > ~/.rpmmacros <<STOP
%_topdir      /home/ray/scratch/rpmbuild
%_smp_mflags  -j3
%__arch_install_post /usr/lib/rpm/check-rpaths /usr/lib/rpm/check-buildroot
STOP
-> rpmdev-setuptree

This will create directory ~/scratch/rpmbuild with required subdirectories:

-> ls ~/scratch/rpmbuild/
BUILD/  RPMS/  SOURCES/  SPECS/  SRPMS/

-> cd ~/scratch/rpmbuild
-> dnf download --source p11-kit --downloaddir ./SRPMS
enabling updates-source repository
enabling fedora-source repository
enabling rpmfusion-free-updates-source repository
enabling rpmfusion-free-source repository
enabling rpmfusion-nonfree-updates-source repository
enabling rpmfusion-nonfree-source repository
Last metadata expiration check: 0:07:09 ago on Sat 17 Feb 2018 12:57:07 PM EST.
p11-kit-0.23.9-2.fc27.src.rpm                                                  1.6 MB/s | 1.1 MB     00:00    
-> ls SRPMS/
p11-kit-0.23.9-2.fc27.src.rpm

-> rpmbuild -bp SPECS/p11-kit.spec 
error: Failed build dependencies:
	gtk-doc is needed by p11-kit-0.23.9-2.fc27.x86_64
	libffi-devel is needed by p11-kit-0.23.9-2.fc27.x86_64
	libtasn1-devel >= 2.3 is needed by p11-kit-0.23.9-2.fc27.x86_64