Bug 2182197

Summary: Package shouldn't add GPG keys to default RPM keyring
Product: [Fedora] Fedora Reporter: Jonathan Lebon <jlebon>
Component: containers-commonAssignee: Lokesh Mandvekar <lsm5>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 39CC: dwalsh, jnovy, kdreyer, lsm5
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jonathan Lebon 2023-03-27 21:00:42 UTC 
Description of problem:

Currently, containers-common adds the Red Hat release key to /etc/pki/rpm-gpg. This behaviour was introduced in:

https://src.fedoraproject.org/rpms/containers-common/c/67fd4062

Based on the above commit, the initial purpose of this change was to automatically trust signed Red Hat images. However, its effect is that it changes the default set of trusted keys during RPM transactions. I think it's surprising to have a package about containers do this since RPM keys fall outside the scope of this package's functionality.

One suggestion is to move the key to another location and have the software stack look in both /etc/pki/rpm-gpg and the new location when building its keyring.

Another suggestion is to add a weak dep to the distribution-gpg-keys package, and either document that if /usr/share/distribution-gpg-keys/redhat is present, it'll be added to the container stack-specific keyring, or let users add the directory themselves in some config file.

Version-Release number of selected component (if applicable):

All recent versions

How reproducible:

Always

Steps to Reproduce:
1. Install containers-common

Actual results:

Default global RPM keyring is modified.

Expected results:

Default global RPM keyring is unmodified.

Additional info:
Comment 1 Ken Dreyer (Red Hat) 2023-06-13 20:52:01 UTC 
Is there a standard place to put container signing keys that are independent of RPM GPG keys?
Comment 2 Fedora Release Engineering 2023-08-16 07:12:35 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.