Bug 2417106

Summary: Changes/Enforcing signature checking by default
Product: [Fedora] Fedora Reporter: Allison King <alking>
Component: Changes TrackingAssignee: Panu Matilainen <pmatilai>
Status: ON_QA --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: alking, bcl, pmatilai, tallis.elliott, tomas.it
Target Milestone: ---Flags: fedora-admin-xmlrpc: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2402320    

Description Allison King 2025-11-25 20:18:00 UTC
This is a tracking bug for Change: Changes/Enforcing signature checking by default
For more details, see: https://fedoraproject.org/wiki/Changes/Enforcing_signature_checking_by_default

Change the RPM default package verification mode to enforcing signature checking, to follow upstream RPM 6.0 default:
only packages with a verified signature can be installed, unless explicitly overridden by `--nosignature` or corresponding API.

If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.

Comment 1 Panu Matilainen 2026-02-17 07:46:42 UTC
Enabled in rawhide as of Feb 16 in rpm >= 6.0.1-5

Comment 2 Tomas 2026-03-24 09:35:04 UTC
If anyone using mock seeing gpg check failed issue (eventho you have tried setting gpg check 0 on dnf.conf, repo etc.) :facepalm: 

you can override this value using:

config_opts['files']['/etc/rpm/macros.pkgverify'] = '%_pkgverify_level digest\n'

cc: @bcl