Red Hat Bugzilla – Bug 1247644
dnf --cacheonly wants to import GPG key when using repo_gpgcheck
Last modified: 2017-12-08 06:22:45 EST
Description of problem:
I have one repository that is using repo_gpgcheck=1. Whenever I use dnf --cacheonly (as a user), dnf wants to import the GPG key for this repository. (The GPG key has been imported as root before.)
As this obviously does not work, the repository is disabled and thus not available for --cacheonly operations:
Cache-only enabled but no cache for 'xyz', disabling.
This is apparently due to the fact that /var/cache/dnf/x86_64/22/xyz/pubring/trustdb.gpg is not world-readable and can thus not be accessed as a non-root user.
Version-Release number of selected component (if applicable):
Always when using --cacheonly as a user
Steps to Reproduce:
1. Install a repository using repo_gpgcheck=1
2. dnf --cacheonly list installed '*dnf*'
dnf prompts to import GPG key.
dnf does not prompt and uses the repository.
we should change the permissions of gpg key to be readable by user.
still true for f24
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
Thank you for reporting this bug and we are sorry it could not be fixed.
I think we have here little bit different problem. Repo_gpg key is different that rpm gpg key. It is imported into cache directory with metadata. But user use different cache than root (for good security reason), therefore also import of gpg key is in different place. If we will allow to share gpg key location for users and root we will have to answer question who has rights to write down the gpg key? And what happen when key is changed? If user will not have rights he will be unable to use repo's gpg verification. From my point of view it is not a bug because if you import repo gpg key into cache it is valid for user that imported it and the logic is same like for metadata.
See bug 1350930, where enabling fedora-cisco-openh264, shipped in the fedora-repos package, makes fedora-review stop working due to this issue. The messages generated by dnf are not helpful in figuring out why fedora-review has stopped working. Even if this is not a bug, the messages could be improved to help packagers figure out the real nature of the problem.
Probably we can think to use rpm database of imported gpgkeys, but for other reason keep present behavior. But I have to ask people from RPM, if there is any API that could provide us information about imported gpgkeys. Thanks in advance to RPM team for any information.
*** Bug 1398868 has been marked as a duplicate of this bug. ***
*** Bug 1416103 has been marked as a duplicate of this bug. ***
There is the rpmKeyring API found in rpmio/rpmkeyring.h (or include/rpm/rpmkeyring.h). It is also available in Python as the keyring class and the ts.getKeyring() method (or rpmtsGetKeyring() in C).
Hello, could somebody please look into this? This is blocking BZ #1350930, so me and others are currently workarounding this when doing fedora-review. This is really pain in the a** for many people. Thank you!
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora 'version'
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.
Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
iirc it is still a problem in at least Fedora 25
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.