dnf handles repo_gpgcheck=1 incorrectly. Where should I report it? I see 3 issues with the current behavior: 1. dnf stores a separate copy of the key for each repo in the cache 2. dnf -y update will add keys without prompting the user 3. clearing the dnf cache drops the keys, exposing the system to STEPS TO REPRODUCE (USE CASE 1) # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools # dnf update EXPECTED RESULT dnf will call gpg to import the keys into root's keyring. gpg will query the operator once for each key ACTUAL RESULTdnf queries the operator once for each repo, loads that repo, then moves to the next repo. dnf stores the gpg keys under /var/cache/dnf, for example: /var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg /var/cache/dnf/powertools-25a6a2b331e53e98/pubring/trustdb.gpg /var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg /var/cache/dnf/appstream-a520ed22b0a8a736/pubring/trustdb.gpg STEPS TO REPRODUCE (USE CASE 2) # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools # dnf -y update EXPECTED RESULT dnf will call gpg to import the keys into the user's keyring (root, in this case). gpg will ignore "-y" passed to dnf ACTUAL RESULT dnf accepts the keys without asking, stores the gpg keys under /var/cache/dnf Examples: /var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg /var/cache/dnf/powertools-25a6a2b331e53e98/pubring/trustdb.gpg /var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg /var/cache/dnf/appstream-a520ed22b0a8a736/pubring/trustdb.gpg STEPS TO REPRODUCE (USE CASE 3) # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools # dnf -y update # ref #1 # dnf update # ref #2 # rm -Rf /var/cache/dnf/* # dnf update # ref #3 EXPECTED RESULT OF ref#3 dnf already has the keys ACTUAL RESULT OF ref#3 dnf asks the operator to accept the same key 4 times PROPOSED FIX dnf's repo_gpgcheck should check the signature against keys in the user's keyring. Key management should be done using gpg, not dnf. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210212/f2e785c1/attachment-0004.html>