# Repository metadata signing in AL2023
<a name="repo-metadata-signing"></a>

Starting with release `2023.11.20260406`, AL2023 repositories include cryptographic signatures for repository metadata. Each repository's `repomd.xml` file is accompanied by a detached GPG signature file (`repomd.xml.asc`) that you can use to verify the authenticity and integrity of the repository metadata before packages are downloaded.

This signing is in addition to the existing RPM package signing (`gpgcheck`), which verifies individual packages. Repository metadata signing verifies the metadata that describes the contents of the repository, such as the list of available packages and their checksums.

## How repository metadata signing works
<a name="repo-metadata-signing-overview"></a>

When AL2023 repositories are published, the repository metadata (`repomd.xml`) is signed using an AWS KMS key. The resulting detached signature (`repomd.xml.asc`) is placed alongside the metadata in the repository.

When you enable `repo_gpgcheck` in your repository configuration, DNF automatically downloads and verifies the `repomd.xml.asc` signature against the GPG public key before using the repository metadata. If the signature verification fails, DNF rejects the repository metadata and does not proceed with package operations from that repository. For more information about `repo_gpgcheck`, see the [DNF Configuration Reference](https://dnf.readthedocs.io/en/latest/conf_ref.html).

The following AL2023 repositories include signed metadata:
+ Core repository (`amazonlinux`)
+ Kernel Livepatch repository (`kernel-livepatch`)
+ NVIDIA repository (`amazonlinux-nvidia`)
+ Supplementary Packages for Amazon Linux repository (`amazonlinux-spal`)

## Difference between `gpgcheck` and `repo_gpgcheck`
<a name="repo-metadata-signing-gpgcheck-vs-repo-gpgcheck"></a>


| Setting | What it verifies | Default in AL2023 | 
| --- | --- | --- | 
| gpgcheck=1 | Verifies the GPG signature of individual RPM packages before installation. | Enabled | 
| repo\_gpgcheck=1 | Verifies the GPG signature of the repository metadata (repomd.xml) before using the repository. | Disabled (enabled by default starting with the 2023.12 quarterly release) | 

We strongly recommend that you enable both `gpgcheck` and `repo_gpgcheck`. This ensures that both the repository metadata and the individual packages are verified before use.

## Enabling repository metadata verification
<a name="repo-metadata-signing-enable"></a>

You can enable repository metadata verification for individual repositories by updating their configuration files.

**Important**  
Starting with the `2023.12` quarterly release, `repo_gpgcheck=1` will be enabled by default in the AL2023 repository configuration files.

### Enable for a specific repository
<a name="repo-metadata-signing-enable-per-repo"></a>

The AL2023 repository configuration files in `/etc/yum.repos.d/` set `repo_gpgcheck=0` by default. To enable repository metadata verification, change this value to `1` in the repository configuration. For example, to enable it for the core repository:

```
[amazonlinux]
name=Amazon Linux 2023 repository
...
gpgcheck=1
repo_gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
```

## Verifying that repository metadata signing is working
<a name="repo-metadata-signing-verify"></a>

After enabling `repo_gpgcheck=1`, you can verify that metadata verification is working by clearing the DNF cache and refreshing the metadata:

```
[ec2-user ~]$ sudo dnf clean metadata
[ec2-user ~]$ sudo dnf makecache
```

If the metadata verification succeeds, DNF imports the GPG key (if not already imported) and creates the metadata cache without errors. You will see output similar to the following:

```
Amazon Linux 2023 repository                    1.7 MB/s | 1.8 kB     00:00
Importing GPG key 0xD832C631:
 Userid     : "Amazon Linux <amazon-linux@amazon.com>"
 Fingerprint: B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
Amazon Linux 2023 repository                      18 MB/s |  55 MB     00:03
Metadata cache created.
```

If the signature verification fails, DNF displays an error message indicating a GPG signature verification failure and metadata cache creation fails.

## GPG public keys for AL2023 repositories
<a name="repo-metadata-signing-gpg-keys"></a>

The GPG public keys used for repository metadata verification are installed by the corresponding repository configuration RPMs to `/etc/pki/rpm-gpg/`. The following table lists the public keys used by each repository.


| Repository | Package signing key | Repodata signing key | Distributed in | 
| --- | --- | --- | --- | 
| Core (amazonlinux) | RPM-GPG-KEY-amazon-linux-2023 | RPM-GPG-KEY-amazon-linux-2023 | system-release | 
| Kernel Livepatch (kernel-livepatch) | RPM-GPG-KEY-amazon-linux-2023 | RPM-GPG-KEY-amazon-linux-2023 | system-release | 
| NVIDIA (amazonlinux-nvidia) | RPM-GPG-KEY-NVIDIA-D42D0685 | RPM-GPG-KEY-amazon-linux-2023-nvidia | nvidia-release | 
| SPAL (amazonlinux-spal) | RPM-GPG-KEY-amazonlinux-spal | RPM-GPG-KEY-amazonlinux-spal | spal-release | 

These keys are automatically installed when you install the corresponding repository configuration RPM.