<html><head></head><body><div>dnf handles repo_gpgcheck=1 incorrectly. Where should I report it?</div><div><br></div><div><br></div><div>I see 3 issues with the current behavior:</div><div>1. dnf stores a separate copy of the key for each repo in the cache</div><div>2. dnf -y update will add keys without prompting the user</div><div>3. clearing the dnf cache drops the keys, exposing the system to </div><div><br></div><div>STEPS TO REPRODUCE (USE CASE 1)</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Cantarell; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;"># dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Cantarell; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;"># dnf update</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Cantarell; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;"><br></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Cantarell; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;">EXPECTED RESULT</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Cantarell; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;">dnf will call gpg to import the keys into root's keyring.</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Cantarell; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;">gpg will query the operator once for each key</div><br class="Apple-interchange-newline">ACTUAL RESULT<div>dnf queries the operator once for each repo, loads that repo, then moves to the next repo. </div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Cantarell; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;">dnf stores the gpg keys under /var/cache/dnf, for example:</div><div><span class="Apple-tab-span" style="white-space: pre;"> </span>/var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg</div><div><span class="Apple-tab-span" style="white-space: pre;"> </span>/var/cache/dnf/powertools-25a6a2b331e53e98/pubring/trustdb.gpg</div><div><span class="Apple-tab-span" style="white-space: pre;"> </span>/var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg</div><div><span class="Apple-tab-span" style="white-space: pre;"> </span>/var/cache/dnf/appstream-a520ed22b0a8a736/pubring/trustdb.gpg</div><div><br></div><div><br></div><div><div><br></div><div>STEPS TO REPRODUCE (USE CASE 2)</div><div># dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools</div><div># dnf -y update</div><div><br></div><div>EXPECTED RESULT</div><div>dnf will call gpg to import the keys into the user's keyring (root, in this case).</div><div>gpg will ignore "-y" passed to dnf</div><div><br></div><div>ACTUAL RESULT</div><div>dnf accepts the keys without asking, stores the gpg keys under /var/cache/dnf</div><div>Examples:</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>/var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>/var/cache/dnf/powertools-25a6a2b331e53e98/pubring/trustdb.gpg</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>/var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>/var/cache/dnf/appstream-a520ed22b0a8a736/pubring/trustdb.gpg</div><div><br></div><div><br></div><div><br></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Cantarell; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;">STEPS TO REPRODUCE (USE CASE 3)</div><div># dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools</div><div># dnf -y update<span class="Apple-tab-span" style="white-space:pre"> </span># ref #1</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Cantarell; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;"># dnf update<span class="Apple-tab-span" style="white-space:pre"> </span># ref #2</div><div># rm -Rf /var/cache/dnf/*</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Cantarell; font-size: 14.666666984558105px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;"># dnf update<span class="Apple-tab-span" style="white-space: pre;"> </span># ref #3</div><br class="Apple-interchange-newline"><div><span></span></div></div><div>EXPECTED RESULT OF ref#3</div><div>dnf already has the keys</div><div><br></div><div>ACTUAL RESULT OF ref#3</div><div>dnf asks the operator to accept the same key 4 times</div><div><br></div><div>PROPOSED FIX</div><div>dnf's repo_gpgcheck should check the signature against keys in the user's keyring.</div><div>Key management should be done using gpg, not dnf.</div></body></html>