[CentOS-devel] bug report - dnf and repo_gpgcheck=1

Fri Feb 12 16:50:32 UTC 2021
David Johnston <David at Littlebald.com>

dnf handles repo_gpgcheck=1 incorrectly. Where should I report it?


I see 3 issues with the current behavior:
1. dnf stores a separate copy of the key for each repo in the cache
2. dnf -y update will add keys without prompting the user
3. clearing the dnf cache drops the keys, exposing the system to 

STEPS TO REPRODUCE (USE CASE 1)
# dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos
extras powertools
# dnf  update

EXPECTED RESULT
dnf will call gpg to import the keys into root's keyring.
gpg will query the operator once for each key

ACTUAL RESULTdnf queries the operator once for each repo, loads that repo, then
moves to the next repo. 
dnf stores the gpg keys under /var/cache/dnf, for example:
 /var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg
 /var/cache/dnf/powertools-25a6a2b331e53e98/pubring/trustdb.gpg
 /var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg
 /var/cache/dnf/appstream-a520ed22b0a8a736/pubring/trustdb.gpg



STEPS TO REPRODUCE (USE CASE 2)
# dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos
extras powertools
# dnf -y update

EXPECTED RESULT
dnf will call gpg to import the keys into the user's keyring (root, in
this case).
gpg will ignore "-y" passed to dnf

ACTUAL RESULT
dnf accepts the keys without asking, stores the gpg keys under
/var/cache/dnf
Examples:
/var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg
/var/cache/dnf/powertools-25a6a2b331e53e98/pubring/trustdb.gpg
/var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg
/var/cache/dnf/appstream-a520ed22b0a8a736/pubring/trustdb.gpg



STEPS TO REPRODUCE (USE CASE 3)
# dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos
extras powertools
# dnf -y update # ref #1
# dnf update # ref #2
# rm -Rf /var/cache/dnf/*
# dnf update # ref #3

EXPECTED RESULT OF ref#3
dnf already has the keys

ACTUAL RESULT OF ref#3
dnf asks the operator to accept the same key 4 times

PROPOSED FIX
dnf's repo_gpgcheck should check the signature against keys in the
user's keyring.
Key management should be done using gpg, not dnf.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210212/f2e785c1/attachment.html>