Red Hat Bugzilla – Bug 140200
yum attempts to gpgcheck a package that is unsigned
Last modified: 2014-01-21 17:50:46 EST
From Bugzilla Helper:
User-Agent: Opera/7.54 (X11; Linux i686; U) [en]
Description of problem:
If yum is configured with "gpgcheck=1" and then attempts to install
or update a package that is unsigned, it fails with "unsigned package
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. configure /etc/yum.conf with "gpgcheck=1"
2. yum update <some-unsigned-package>
Actual Results: unsigned package <path>
Expected Results: yum should generate a warning about the package
not being signed, but should continue.
yum should NEVER "bail", "punt", or "quit" because of a recoverable
error or, especially, because of a warning condition.
1. yum doesn't die, it exits with an error message.
2. an unsigned package when gpgcheck=1 is an error. If it was not then
a person who broke into a repository could simply put an unsigned rpm
into the repository and 'boom' they own all those machines.
this is not a bug.