Forge Home


Manage your RPM keyring through puppet


66 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.0.1 (latest)
  • 2.0.0
  • 1.0.3
  • 1.0.2
  • 1.0.1
  • 1.0.0
released May 19th 2024
This version is compatible with:
  • Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 9.0.0
  • , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'stschulte-rpmkey', '2.0.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add stschulte-rpmkey
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install stschulte-rpmkey --version 2.0.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Tags: gpg, rpm


stschulte/rpmkey — version 2.0.1 May 19th 2024

Puppet RPMKEY Module

Build Status Coverage Status Puppet Forge

This repository aims to ease the GPG keymanagement with rpm


A package maintainer can sign his RPM packages with a secret gpg key. This allows a third party (e.g. you) to verify the package with the corresponding public key. The rpm utility has its own keyring and commands to import and remove public gpg keys.

A key can be imported with rpm --import and will then present itself as an installed package of the form gpgkey-#{keyid}-#{signature_date}. In the same way the key can be removed from the keyring by removing the corresponding package with rpm --erase

The puppet way

The new puppet rpmkey type treats a single key as a puppet resource so you can e.g. specify

rpmkey { '0608B895':
  ensure => present,
  source => '',

The above resource will import the key if it is not already present. If you want to make sure that a key is absent (remove it when it is present) specify the following instead:

rpmkey { '0608B895':
  ensure => absent,

The name of the rpmkey resource has to be the keyID of the gpg key. If you have the public key available as a file but you are unsure of the correct keyID, use gpg to extract the keyID. For example, to find the keyID used by EPEL 7:

$ gpg ./RPM-GPG-KEY-EPEL-7
pub  4096R/352C64E5 2013-12-16 Fedora EPEL (7) <>

The string after the / is what rpmkey expects (352C64E5).

Running the tests

The easiest way to run the tests is via bundler

bundle install
bundle exec rake spec SPEC_OPTS='--format documentation'


Thanks to the following contributers, who made this module more usable:

  • Gene Liverman
  • Michael Moll
  • duritong