Bug 1368035 - fedora-repos claims F25 repos are signed, when they are not
Summary: fedora-repos claims F25 repos are signed, when they are not
Alias: None
Product: Fedora
Classification: Fedora
Component: fedora-repos
Version: 25
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Dennis Gilmore
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: F25AlphaBlocker
TreeView+ depends on / blocked
Reported: 2016-08-18 07:46 UTC by Kamil Páral
Modified: 2016-08-18 15:13 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-08-18 09:38:22 UTC
Type: Bug

Attachments (Terms of Use)

Description Kamil Páral 2016-08-18 07:46:19 UTC
Description of problem:
Both fedora.repo and fedora-updates.repo for Fedora 25 include "gpgcheck=1" in the repo definition file. But most of the packages doesn't seem to be signed.

$ sudo dnf install vim
Error: Package vim-enhanced-7.4.1989-2.fc25.x86_64.rpm is not signed

That means that in order to install anything, you need to pass --nogpgcheck to dnf command line. It also means gnome-software can't be used at all (I haven't checked KDE's graphical package manager).

The packages should be either signed, or fedora-repos should claim gpgcheck=0 for the repositories. Once the repos get signed, fedora-repos can be updated.

I don't remember having to use --nogpgcheck for Alphas in the past, so I assume this is not the state we want to release F25 Alpha in. It might also violate:
"The installed system must be able to download and install updates with the default console package manager. "
provided we don't want all people to be aware and get used to using --nogpgcheck.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. dnf install vim (or probably almost anything else)

Comment 1 Kamil Páral 2016-08-18 07:56:27 UTC
Please note that this might also cause bug 1367780 and probably some others. This makes pre-release testing unnecessarily difficult. I'd like to see fedora-repos to reflect the true state of our repositories, not a state we wish they would be in.

Comment 2 Peter Robinson 2016-08-18 09:38:22 UTC
the repos are all signed, there was issues with the compose that was causing  the new signed packages to no go to mirrors. That was fixed yesterday so once the mirrors catch up the problem should go away

Comment 3 Kevin Fenzi 2016-08-18 15:13:26 UTC
Note that we actually haven't had a sucessfull compose since the signatures should all be there... but hopefully very soon. :)

Note You need to log in before you can comment on or make changes to this bug.