Bug 1247644 - dnf --cacheonly wants to import GPG key when using repo_gpgcheck
dnf --cacheonly wants to import GPG key when using repo_gpgcheck
Status: NEW
Product: Fedora
Classification: Fedora
Component: dnf (Show other bugs)
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: rpm-software-management
Fedora Extras Quality Assurance
: EasyFix, Reopened, Triaged
: 1398868 1416103 (view as bug list)
Depends On:
Blocks: 1350930
  Show dependency treegraph
Reported: 2015-07-28 10:05 EDT by Michael Kuhn
Modified: 2017-12-08 06:22 EST (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-07-19 13:14:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michael Kuhn 2015-07-28 10:05:41 EDT
Description of problem:
I have one repository that is using repo_gpgcheck=1. Whenever I use dnf --cacheonly (as a user), dnf wants to import the GPG key for this repository. (The GPG key has been imported as root before.)

As this obviously does not work, the repository is disabled and thus not available for --cacheonly operations:
Cache-only enabled but no cache for 'xyz', disabling.

This is apparently due to the fact that /var/cache/dnf/x86_64/22/xyz/pubring/trustdb.gpg is not world-readable and can thus not be accessed as a non-root user.

Version-Release number of selected component (if applicable):
dnf.noarch          1.0.1-2.fc22
dnf-conf.noarch     1.0.1-2.fc22
dnf-yum.noarch      1.0.1-2.fc22
python-dnf.noarch   1.0.1-2.fc22
python3-dnf.noarch  1.0.1-2.fc22

How reproducible:
Always when using --cacheonly as a user

Steps to Reproduce:
1. Install a repository using repo_gpgcheck=1
2. dnf --cacheonly list installed '*dnf*'

Actual results:
dnf prompts to import GPG key.

Expected results:
dnf does not prompt and uses the repository.
Comment 1 Honza Silhan 2015-08-11 07:42:56 EDT
we should change the permissions of gpg key to be readable by user.
Comment 2 Matthias Runge 2016-06-08 15:07:01 EDT
still true for f24
Comment 3 Fedora Admin XMLRPC Client 2016-07-08 05:31:03 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Fedora End Of Life 2016-07-19 13:14:06 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 5 Jaroslav Mracek 2017-02-16 09:59:43 EST
I think we have here little bit different problem. Repo_gpg key is different that rpm gpg key. It is imported into cache directory with metadata. But user use different cache than root (for good security reason), therefore also import of gpg key is in different place. If we will allow to share gpg key location for users and root we will have to answer question who has rights to write down the gpg key? And what happen when key is changed? If user will not have rights he will be unable to use repo's gpg verification. From my point of view it is not a bug because if you import repo gpg key into cache it is valid for user that imported it and the logic is same like for metadata.
Comment 6 Jerry James 2017-03-03 10:07:57 EST
See bug 1350930, where enabling fedora-cisco-openh264, shipped in the fedora-repos package, makes fedora-review stop working due to this issue.  The messages generated by dnf are not helpful in figuring out why fedora-review has stopped working.  Even if this is not a bug, the messages could be improved to help packagers figure out the real nature of the problem.
Comment 7 Jaroslav Mracek 2017-03-14 06:46:16 EDT
Probably we can think to use rpm database of imported gpgkeys, but for other reason keep present behavior. But I have to ask people from RPM, if there is any API that could provide us information about imported gpgkeys. Thanks in advance to RPM team for any information.
Comment 8 Jaroslav Mracek 2017-03-14 06:46:52 EDT
*** Bug 1398868 has been marked as a duplicate of this bug. ***
Comment 9 Jaroslav Mracek 2017-03-14 06:47:23 EDT
*** Bug 1416103 has been marked as a duplicate of this bug. ***
Comment 10 Florian Festi 2017-03-14 07:57:35 EDT
There is the rpmKeyring API found in rpmio/rpmkeyring.h (or include/rpm/rpmkeyring.h). It is also available in Python as the keyring class and the ts.getKeyring() method (or rpmtsGetKeyring() in C).
Comment 11 David Kaspar [Dee'Kej] 2017-05-24 06:10:21 EDT
Hello, could somebody please look into this? This is blocking BZ #1350930, so me and others are currently workarounding this when doing fedora-review. This is really pain in the a** for many people. Thank you!
Comment 12 Fedora End Of Life 2017-07-25 15:03:21 EDT
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 13 Till Maas 2017-07-25 15:32:02 EDT
iirc it is still a problem in at least Fedora 25
Comment 14 Jan Kurik 2017-08-15 02:56:23 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Note You need to log in before you can comment on or make changes to this bug.