dnf handles repo_gpgcheck=1 incorrectly. Where should I report it?
I see 3 issues with the current behavior: 1. dnf stores a separate copy of the key for each repo in the cache 2. dnf -y update will add keys without prompting the user 3. clearing the dnf cache drops the keys, exposing the system to
STEPS TO REPRODUCE (USE CASE 1) # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools # dnf update
EXPECTED RESULT dnf will call gpg to import the keys into root's keyring. gpg will query the operator once for each key
ACTUAL RESULTdnf queries the operator once for each repo, loads that repo, then moves to the next repo. dnf stores the gpg keys under /var/cache/dnf, for example: /var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg /var/cache/dnf/powertools-25a6a2b331e53e98/pubring/trustdb.gpg /var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg /var/cache/dnf/appstream-a520ed22b0a8a736/pubring/trustdb.gpg
STEPS TO REPRODUCE (USE CASE 2) # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools # dnf -y update
EXPECTED RESULT dnf will call gpg to import the keys into the user's keyring (root, in this case). gpg will ignore "-y" passed to dnf
ACTUAL RESULT dnf accepts the keys without asking, stores the gpg keys under /var/cache/dnf Examples: /var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg /var/cache/dnf/powertools-25a6a2b331e53e98/pubring/trustdb.gpg /var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg /var/cache/dnf/appstream-a520ed22b0a8a736/pubring/trustdb.gpg
STEPS TO REPRODUCE (USE CASE 3) # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools # dnf -y update # ref #1 # dnf update # ref #2 # rm -Rf /var/cache/dnf/* # dnf update # ref #3
EXPECTED RESULT OF ref#3 dnf already has the keys
ACTUAL RESULT OF ref#3 dnf asks the operator to accept the same key 4 times
PROPOSED FIX dnf's repo_gpgcheck should check the signature against keys in the user's keyring. Key management should be done using gpg, not dnf.
Can you file this up at : https://bugs.centos.org/
On Fri, 2021-02-12 at 11:50 -0500, David Johnston wrote:
dnf handles repo_gpgcheck=1 incorrectly. Where should I report it?
I see 3 issues with the current behavior:
- dnf stores a separate copy of the key for each repo in the cache
- dnf -y update will add keys without prompting the user
- clearing the dnf cache drops the keys, exposing the system to
STEPS TO REPRODUCE (USE CASE 1) # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools # dnf update
EXPECTED RESULT dnf will call gpg to import the keys into root's keyring. gpg will query the operator once for each key
ACTUAL RESULT dnf queries the operator once for each repo, loads that repo, then moves to the next repo. dnf stores the gpg keys under /var/cache/dnf, for example: /var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg /var/cache/dnf/powertools- 25a6a2b331e53e98/pubring/trustdb.gpg /var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg /var/cache/dnf/appstream- a520ed22b0a8a736/pubring/trustdb.gpg
STEPS TO REPRODUCE (USE CASE 2) # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools # dnf -y update
EXPECTED RESULT dnf will call gpg to import the keys into the user's keyring (root, in this case). gpg will ignore "-y" passed to dnf
ACTUAL RESULT dnf accepts the keys without asking, stores the gpg keys under /var/cache/dnf Examples: /var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg /var/cache/dnf/powertools- 25a6a2b331e53e98/pubring/trustdb.gpg /var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg /var/cache/dnf/appstream- a520ed22b0a8a736/pubring/trustdb.gpg
STEPS TO REPRODUCE (USE CASE 3) # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools # dnf -y update # ref #1 # dnf update # ref #2 # rm -Rf /var/cache/dnf/* # dnf update # ref #3
EXPECTED RESULT OF ref#3 dnf already has the keys
ACTUAL RESULT OF ref#3 dnf asks the operator to accept the same key 4 times
PROPOSED FIX dnf's repo_gpgcheck should check the signature against keys in the user's keyring. Key management should be done using gpg, not dnf. _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.centos.org_mailma...
-
David Johnston -
Patrick Riehecky