Description of problem: COPR currently signs packages, but not the repository metadata. Without signing the metadata, there's no obvious way to prevent DNF from reading untrusted repository metadata. This involves adding to the signer to sign the generated repository metadata and having the frontend generate .repo files that include "repo_gpgcheck=1". Version-Release number of selected component (if applicable): copr-backend-1.92-1.fc24 copr-frontend-1.99-1.fc24 How reproducible: Always Steps to Reproduce: 1. Set a copr repo to "repo_gpgcheck=1" in /etc/yum.repos.d repo file 2. dnf --refresh install <package> Actual results: DNF complains that there's no repodata signature to verify. Expected results: DNF silently verifies that the repodata is properly signed. Additional info: As of https://github.com/fedora-copr/copr/commit/28e0109882afbfb52a7eedff0f38973f1cdf3432, repo_gpgcheck is currently always set to "0". If this feature request is implemented, it should be changed to get the value set the same way "gpgcheck" is.
The bugs related to Copr build system are now migrated to the default Copr team tracker: https://github.com/fedora-copr/copr/issues/2644