Can you file this up at : https://bugs.centos.org/ On Fri, 2021-02-12 at 11:50 -0500, David Johnston wrote: > dnf handles repo_gpgcheck=1 incorrectly. Where should I report it? > > > I see 3 issues with the current behavior: > 1. dnf stores a separate copy of the key for each repo in the cache > 2. dnf -y update will add keys without prompting the user > 3. clearing the dnf cache drops the keys, exposing the system to > > STEPS TO REPRODUCE (USE CASE 1) > # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream > baseos extras powertools > # dnf update > > EXPECTED RESULT > dnf will call gpg to import the keys into root's keyring. > gpg will query the operator once for each key > > ACTUAL RESULT > dnf queries the operator once for each repo, loads that repo, then > moves to the next repo. > dnf stores the gpg keys under /var/cache/dnf, for example: > /var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg > /var/cache/dnf/powertools- > 25a6a2b331e53e98/pubring/trustdb.gpg > /var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg > /var/cache/dnf/appstream- > a520ed22b0a8a736/pubring/trustdb.gpg > > > > STEPS TO REPRODUCE (USE CASE 2) > # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream > baseos extras powertools > # dnf -y update > > EXPECTED RESULT > dnf will call gpg to import the keys into the user's keyring (root, > in this case). > gpg will ignore "-y" passed to dnf > > ACTUAL RESULT > dnf accepts the keys without asking, stores the gpg keys under > /var/cache/dnf > Examples: > /var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg > /var/cache/dnf/powertools- > 25a6a2b331e53e98/pubring/trustdb.gpg > /var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg > /var/cache/dnf/appstream- > a520ed22b0a8a736/pubring/trustdb.gpg > > > > STEPS TO REPRODUCE (USE CASE 3) > # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream > baseos extras powertools > # dnf -y update # ref #1 > # dnf update # ref #2 > # rm -Rf /var/cache/dnf/* > # dnf update # ref #3 > > EXPECTED RESULT OF ref#3 > dnf already has the keys > > ACTUAL RESULT OF ref#3 > dnf asks the operator to accept the same key 4 times > > PROPOSED FIX > dnf's repo_gpgcheck should check the signature against keys in the > user's keyring. > Key management should be done using gpg, not dnf. > _______________________________________________ > CentOS-devel mailing list > CentOS-devel at centos.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.centos.org_mailman_listinfo_centos-2Ddevel&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=RD5SaBVBBKvWO12hlc_muBUXKZAlD70lbALEobDdsPM&s=GoWrg5OHnH6EEq_orGlYUcDdZjGiAKMekuGgDi3HM8w&e= >