[CentOS-devel] bug report - dnf and repo_gpgcheck=1

Fri Feb 12 17:18:27 UTC 2021
Patrick Riehecky <riehecky at fnal.gov>

Can you file this up at : https://bugs.centos.org/


On Fri, 2021-02-12 at 11:50 -0500, David Johnston wrote:
> dnf handles repo_gpgcheck=1 incorrectly. Where should I report it?
> 
> 
> I see 3 issues with the current behavior:
> 1. dnf stores a separate copy of the key for each repo in the cache
> 2. dnf -y update will add keys without prompting the user
> 3. clearing the dnf cache drops the keys, exposing the system to 
> 
> STEPS TO REPRODUCE (USE CASE 1)
> # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream
> baseos extras powertools
> # dnf  update
> 
> EXPECTED RESULT
> dnf will call gpg to import the keys into root's keyring.
> gpg will query the operator once for each key
> 
> ACTUAL RESULT
> dnf queries the operator once for each repo, loads that repo, then
> moves to the next repo. 
> dnf stores the gpg keys under /var/cache/dnf, for example:
> 	/var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg
> 	/var/cache/dnf/powertools-
> 25a6a2b331e53e98/pubring/trustdb.gpg
> 	/var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg
> 	/var/cache/dnf/appstream-
> a520ed22b0a8a736/pubring/trustdb.gpg
> 
> 
> 
> STEPS TO REPRODUCE (USE CASE 2)
> # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream
> baseos extras powertools
> # dnf -y update
> 
> EXPECTED RESULT
> dnf will call gpg to import the keys into the user's keyring (root,
> in this case).
> gpg will ignore "-y" passed to dnf
> 
> ACTUAL RESULT
> dnf accepts the keys without asking, stores the gpg keys under
> /var/cache/dnf
> Examples:
> 	/var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg
> 	/var/cache/dnf/powertools-
> 25a6a2b331e53e98/pubring/trustdb.gpg
> 	/var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg
> 	/var/cache/dnf/appstream-
> a520ed22b0a8a736/pubring/trustdb.gpg
> 
> 
> 
> STEPS TO REPRODUCE (USE CASE 3)
> # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream
> baseos extras powertools
> # dnf -y update	# ref #1
> # dnf update		# ref #2
> # rm -Rf /var/cache/dnf/*
> # dnf update		# ref #3
> 
> EXPECTED RESULT OF ref#3
> dnf already has the keys
> 
> ACTUAL RESULT OF ref#3
> dnf asks the operator to accept the same key 4 times
> 
> PROPOSED FIX
> dnf's repo_gpgcheck should check the signature against keys in the
> user's keyring.
> Key management should be done using gpg, not dnf.
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.centos.org_mailman_listinfo_centos-2Ddevel&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=RD5SaBVBBKvWO12hlc_muBUXKZAlD70lbALEobDdsPM&s=GoWrg5OHnH6EEq_orGlYUcDdZjGiAKMekuGgDi3HM8w&e=
>