Bug 1373331

Summary: RFE: Sign repository metadata generated for coprs along with packages
Product: [Community] Copr Reporter: Neal Gompa <ngompa13>
Component: backendAssignee: Copr Team <copr-team>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: fedora, grugnog
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Neal Gompa 2016-09-06 03:04:15 UTC 
Description of problem:
COPR currently signs packages, but not the repository metadata. Without signing the metadata, there's no obvious way to prevent DNF from reading untrusted repository metadata.

This involves adding to the signer to sign the generated repository metadata and having the frontend generate .repo files that include "repo_gpgcheck=1".

Version-Release number of selected component (if applicable):
copr-backend-1.92-1.fc24
copr-frontend-1.99-1.fc24

How reproducible:
Always

Steps to Reproduce:
1. Set a copr repo to "repo_gpgcheck=1" in /etc/yum.repos.d repo file
2. dnf --refresh install <package>

Actual results:
DNF complains that there's no repodata signature to verify.

Expected results:
DNF silently verifies that the repodata is properly signed.

Additional info:
As of https://github.com/fedora-copr/copr/commit/28e0109882afbfb52a7eedff0f38973f1cdf3432, repo_gpgcheck is currently always set to "0". If this feature request is implemented, it should be changed to get the value set the same way "gpgcheck" is.