Bug 1576982

Summary: Display repository GPG key fingerprint
Product: [Community] Copr Reporter: sedrubal <fedora>
Component: frontendAssignee: clime
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: clime, praiskup
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-18 09:39:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description sedrubal 2018-05-10 21:41:32 UTC 
Description of problem:

Currently users enable copr repos on their machines and then they get asked, whether they trust the repositories fingerprint. But users don't know the correct fingerprint and have to trust blindly.


Expected results:

The repository gpg key fingerprint should be displayed on each copr project website.
Comment 1 clime 2018-05-18 09:39:34 UTC 
If you look at the output of `dnf install`:

warning: /var/cache/dnf/pipiche-rspamd-c91fc61a66ec4118/packages/rspamd-1.7.4-3.fc28.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b055dbfe: NOKEY
Importing GPG key 0xB055DBFE:
 Userid     : "pipiche_rspamd (None) <pipiche#rspamd.org>"
 Fingerprint: 64A6 2EA1 C8F6 7E42 6858 930D 7BBF 5E8F B055 DBFE
 From       : https://copr-be.cloud.fedoraproject.org/results/pipiche/rspamd/pubkey.gpg
Is this ok [y/N]: 

The URL of the GPG key is displayed there: in this case https://copr-be.cloud.fedoraproject.org/results/pipiche/rspamd/pubkey.gpg

So it's not a blind trust. You just need to additionally trust that https://copr-be.cloud.fedoraproject.org/results/pipiche/rspamd/pubkey.gpg really belongs to 
https://copr.fedorainfracloud.org/coprs/pipiche/rspamd/, which it does.