Bug 2439694

Summary: GNOME Software prompts to import GPG key on first launch
Product: [Fedora] Fedora Reporter: lpavan
Component: gnome-softwareAssignee: Milan Crha <mcrha>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 44CC: franute, gnome-sig, jonathan, mcatanza, mcrha, pkratoch, ppisar, rhughes, rpm-software-management
Target Milestone: ---Keywords: Desktop, Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: gnome-software-50~beta-6 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-02-16 12:29:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
GNOME Software asking to import a key none

Description lpavan 2026-02-13 15:17:45 UTC 
Upon performing a fresh installation of Fedora 44 (Workstation Pre-release) and launching GNOME Software for the first time, a modal dialog appears titled "Import Key". The dialog asks "Do you want to import key 6D9F90A6?" with details pointing to a key located at `/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-44-x86_64`.

This key seems to be part of the default installation and should be implicitly trusted. Requiring the user to manually verify and import the official distribution key via a GUI pop-up is a regression/bug that creates friction for new users.

Reproducible: Always

Steps to Reproduce:
1. Install a fresh instance of Fedora 44 Workstation (Pre-release).
2. Complete the initial setup (user creation, etc.).
3. Open the "Software" (gnome-software) app.
4. Observe the prompt that appears.

Actual Results:
An "Import Key" dialog appears requiring manual user intervention to trust a GPG key.

Expected Results:
GNOME Software should open without prompting for repository keys, as these should be trusted by default in a standard Fedora installation.

Key information:
- Key user: "Fedora (44) <fedora-44-primary>"
- Fingerprint: 36F6 12DC F27F 7D1A 48A8 35E4 DBFC F71C 6D9F 90A6
- From: /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-44-x86_64

GNOME Software issue (closed):
https://gitlab.gnome.org/GNOME/gnome-software/-/issues/2874
Comment 1 lpavan 2026-02-13 15:18:40 UTC 
Created attachment 2129370 [details]
GNOME Software asking to import a key
Comment 2 Milan Crha 2026-02-16 11:08:52 UTC 
The problem is that the dnf5 daemon reports the key coming 'from_repo_id': <'8791fdcd77de4fc7889843ec6b74d21c'> , while it cannot find this repository, because it does not exist any more. It remembers it is installed from `@System` repository.

When the keys are updated later on, like when moving from one version to another, the information can be more "accurate". In a rawhide machine I've here it says: 'from_repo_id': <'rawhide'> , and there exists such repository.

It seems I cannot configure an `@System` repository myself, thus I guess I can treat such repos as "fine to import the key from" and auto-accept key import requests for keys from such repositories. Unfortunately, packages installed from command line identify "from_repo_id" as "@commandline" and the "repo_id" as "@System", thus checking only the repo_id on its own won't work well for the heuristic.

I do not see any better way than to accept "@System" only if not being "@commandline" at the same time. It can be extended in the future, if needed.
Comment 3 Milan Crha 2026-02-16 12:29:55 UTC 
Fixed/changed by https://gitlab.gnome.org/mcrha/gnome-software/-/commit/8023c8ca81d81640fd00ed587c4bed6f52391bcd , to be included in the next build.
Comment 4 Milan Crha 2026-02-16 13:32:55 UTC 
*** Bug 2439688 has been marked as a duplicate of this bug. ***