Bug 1563841

Summary: --nogpgcheck should override localpkg_gpgcheck=True
Product: [Fedora] Fedora Reporter: Robin A. Meade <robin.a.meade>
Component: dnfAssignee: Jaroslav Mracek <jmracek>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: dmach, jmracek, mhatina, packaging-team-maint, rpm-software-management, vmukhame
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-28 08:15:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Robin A. Meade 2018-04-04 21:03:25 UTC
Description of problem:

In /etc/dnf/dnf.conf, I set the localpkg_gpgcheck to True to prevent unwittingly installing unsigned packages. The --nogpgcheck command line option should allow me to explicitly override this behavior when desired, but it has no effect. DNF still checks the signature and prevents me from installing unsigned packages.


Version-Release number of selected component (if applicable):

Fedora 27
dnf 2.7.5


Steps to Reproduce:

Check that the localpkg_gpgcheck configuration option is documented:

$ man dnf.conf | grep -F localpkg_gpgcheck --after-context=4
   localpkg_gpgcheck
      boolean

      Whether to perform a GPG signature check on local  packages  (packages
      in a file, not in a repositoy). The default is False.

In /etc/dnf/dnf.conf, I set it to true to prevent unwittingly installing unsigned local packages

$ grep -F localpkg_gpgcheck /etc/dnf/dnf.conf
localpkg_gpgcheck=1

Check that the --nongpgcheck option is documented

$ man dnf | grep -F nogpgcheck --after-context=2
   --nogpgcheck
      skip checking GPG signatures on packages

Now  try it. I downloaded a firefox package from koji. (Such packages are unsigned.)

$ sudo dnf install --nogpgcheck ./firefox-59.0-3.fc27.x86_64.rpm
...
Package firefox-59.0-3.fc27.x86_64.rpm is not signed
Error: GPG check FAILED


Actual results:

The signature was checked even though I specified --nogpgcheck.

Expected results:

I expected the --nogpgcheck option to skip the checking of GPG signatures on local packages.

Comment 1 Jaroslav Mracek 2018-05-24 20:44:17 UTC
I created a patch (https://github.com/rpm-software-management/dnf/pull/1097) that should solve the issue.

Comment 2 Jaroslav Mracek 2018-06-28 08:15:31 UTC
The issue is solved by dnf-3.0.1-1 that was released into rawhide.