Bug 1368035

Summary: fedora-repos claims F25 repos are signed, when they are not
Product: [Fedora] Fedora Reporter: Kamil Páral <kparal>
Component: fedora-reposAssignee: Dennis Gilmore <dennis>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: dennis, kevin, mboddu, pbrobinson, robatino
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-18 09:38:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1277284    

Description Kamil Páral 2016-08-18 07:46:19 UTC 
Description of problem:
Both fedora.repo and fedora-updates.repo for Fedora 25 include "gpgcheck=1" in the repo definition file. But most of the packages doesn't seem to be signed.

$ sudo dnf install vim
...
Error: Package vim-enhanced-7.4.1989-2.fc25.x86_64.rpm is not signed

That means that in order to install anything, you need to pass --nogpgcheck to dnf command line. It also means gnome-software can't be used at all (I haven't checked KDE's graphical package manager).

The packages should be either signed, or fedora-repos should claim gpgcheck=0 for the repositories. Once the repos get signed, fedora-repos can be updated.

I don't remember having to use --nogpgcheck for Alphas in the past, so I assume this is not the state we want to release F25 Alpha in. It might also violate:
"The installed system must be able to download and install updates with the default console package manager. "
https://fedoraproject.org/wiki/Fedora_25_Alpha_Release_Criteria#Updates
provided we don't want all people to be aware and get used to using --nogpgcheck.

Version-Release number of selected component (if applicable):
fedora-repos-25-0.5.noarch

How reproducible:
always

Steps to Reproduce:
1. dnf install vim (or probably almost anything else)
Comment 1 Kamil Páral 2016-08-18 07:56:27 UTC 
Please note that this might also cause bug 1367780 and probably some others. This makes pre-release testing unnecessarily difficult. I'd like to see fedora-repos to reflect the true state of our repositories, not a state we wish they would be in.
Comment 2 Peter Robinson 2016-08-18 09:38:22 UTC 
the repos are all signed, there was issues with the compose that was causing  the new signed packages to no go to mirrors. That was fixed yesterday so once the mirrors catch up the problem should go away
Comment 3 Kevin Fenzi 2016-08-18 15:13:26 UTC 
Note that we actually haven't had a sucessfull compose since the signatures should all be there... but hopefully very soon. :)