Bug 1655202

Summary: dnf -C (as user) keeps asking for key import even when that key is already imported
Product: [Fedora] Fedora Reporter: Matthew Miller <mattdm>
Component: dnfAssignee: rpm-software-management
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 29CC: dmach, mblaha, mhatina, packaging-team-maint, rpm-software-management, thib, tmz, vmukhame
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-07 15:18:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Miller 2018-12-01 02:11:31 UTC 
I enabled the Cisco H264 repo. Now I always get:

$ dnf -C updateinfo
Fedora 29 openh264 (From Cisco) - x86_64        1.6 kB/s | 1.6 kB     00:01    
Importing GPG key 0x429476B4:
 Userid     : "Fedora 29 (29) <fedora-29>"
 Fingerprint: 5A03 B4DD 8254 ECA0 2FDA 1637 A20A A56B 4294 76B4
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-29-x86_64
Is this ok [y/N]: 


whenever I do any operation as a user with `dnf -C` (I have that as an alias, as I want to avoid duplicate caching.)

But that key is already imported! I mean, it's the main Fedora 29 GPG key, even:

$ rpm -q gpg-pubkey|grep -i 429476B4
gpg-pubkey-429476b4-5a886537

Running DNF as root works fine. Running DNF as a user without -C downloads the cache (even though the root metadata was just updated! -- is that a known bug?) into /var/tmp, and asks for the key, but then does not do that on subsequent runs -- until I do `dnf -C`, and then I'm asked for the key again!!!
Comment 1 Matthew Miller 2018-12-06 21:38:12 UTC 
Sorry -- I forgot to list dnf version. This persist in dnf-4.0.9-1.fc29.noarch
Comment 2 Todd Zullinger 2019-03-03 17:41:54 UTC 
The key import is the repo key, rather than the rpmdb key, due to the fedora-cisco-openh264 repo having "repo_gpgcheck" enabled by default.  The key for repo_gpgcheck is stored in a gpg homedir under
/var/cache/dnf/fedora-cisco-openh264-XXXXXXXXXXXXXXXX/pubring/.  If I had to guess, when run as a user, dnf can't read that gpg homedir (it can't connect to any running gpg-agent nor start one if needed).

It's still strange (and undesirable) that the user is prompted to import it, of course. I don't know how easy this is to resolve, but it would be nice to be able to run 'dnf -C' as a user without these prompts and have any repos which require gpgcheck still work.

Currently, whether you say yes or no to the import prompt, dnf follows with "Cache-only enabled but no cache for 'fedora-cisco-openh264'" and "Ignoring repositories: fedora-cisco-openh264."  Here's some sample output to illustrate:

# As root, dnf lists packages (and will ensure the cache is updated, key imported, etc.
$ sudo dnf --disablerepo '*' --enablerepo fedora-cisco-openh264 list available
Last metadata expiration check: 0:26:34 ago on Sun 03 Mar 2019 11:47:29 AM EST.
Available Packages
gstreamer1-plugin-openh264.i686        1.14.2-1.fc29       fedora-cisco-openh264
gstreamer1-plugin-openh264.x86_64      1.14.2-1.fc29       fedora-cisco-openh264
mozilla-openh264.x86_64                1.8.0-2.fc29        fedora-cisco-openh264
openh264.i686                          1.8.0-2.fc29        fedora-cisco-openh264
openh264.x86_64                        1.8.0-2.fc29        fedora-cisco-openh264
openh264-debugsource.x86_64            1.8.0-2.fc29        fedora-cisco-openh264
openh264-devel.i686                    1.8.0-2.fc29        fedora-cisco-openh264
openh264-devel.x86_64                  1.8.0-2.fc29        fedora-cisco-openh264

# As user with -C, the repo is ignored (regardless of the answer to the import prompt)
$ dnf -C --disablerepo '*' --enablerepo fedora-cisco-openh264 list available
Fedora 29 openh264 (From Cisco) - x86_64        1.5 MB/s | 1.6 kB     00:00    
Importing GPG key 0x429476B4:
 Userid     : "Fedora 29 (29) <fedora-29>"
 Fingerprint: 5A03 B4DD 8254 ECA0 2FDA 1637 A20A A56B 4294 76B4
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-29-x86_64
Is this ok [y/N]: n
Cache-only enabled but no cache for 'fedora-cisco-openh264'
Ignoring repositories: fedora-cisco-openh264

This makes 'dnf -C' mostly unusable if you have repos with repo_gpgcheck enabled, since the answers you'll get from any queries will be excluding those repos.

A fix may require changes in libdnf as well, since it looks like much of the repo_gpgcheck handling lives there.  Maybe the gpg homedir can be copied from the system cache to the user cache dir so it can be used?

A workaround (though I wouldn't really recommend it) is to add '--nogpgcheck' to disable all gpg checking.  In combination with 'dnf -C' perhaps it's not terrible, since nothing is being downloaded which wasn't already downloaded and presumably checked when it was added to the system cache.
Comment 3 Todd Zullinger 2019-07-21 16:31:48 UTC 
I think this is a duplicate of #1247644 (dnf --cacheonly wants to import GPG key when using repo_gpgcheck, 2015-07-28).
Comment 4 Jaroslav Mracek 2019-09-07 15:18:12 UTC 

*** This bug has been marked as a duplicate of bug 1247644 ***