Bug 1563841 - --nogpgcheck should override localpkg_gpgcheck=True
Summary: --nogpgcheck should override localpkg_gpgcheck=True
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: dnf (Show other bugs)
(Show other bugs)
Version: 27
Hardware: Unspecified Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jaroslav Mracek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Triaged
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-04 21:03 UTC by Robin A. Meade
Modified: 2018-06-28 08:15 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-06-28 08:15:31 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Robin A. Meade 2018-04-04 21:03:25 UTC
Description of problem:

In /etc/dnf/dnf.conf, I set the localpkg_gpgcheck to True to prevent unwittingly installing unsigned packages. The --nogpgcheck command line option should allow me to explicitly override this behavior when desired, but it has no effect. DNF still checks the signature and prevents me from installing unsigned packages.


Version-Release number of selected component (if applicable):

Fedora 27
dnf 2.7.5


Steps to Reproduce:

Check that the localpkg_gpgcheck configuration option is documented:

$ man dnf.conf | grep -F localpkg_gpgcheck --after-context=4
   localpkg_gpgcheck
      boolean

      Whether to perform a GPG signature check on local  packages  (packages
      in a file, not in a repositoy). The default is False.

In /etc/dnf/dnf.conf, I set it to true to prevent unwittingly installing unsigned local packages

$ grep -F localpkg_gpgcheck /etc/dnf/dnf.conf
localpkg_gpgcheck=1

Check that the --nongpgcheck option is documented

$ man dnf | grep -F nogpgcheck --after-context=2
   --nogpgcheck
      skip checking GPG signatures on packages

Now  try it. I downloaded a firefox package from koji. (Such packages are unsigned.)

$ sudo dnf install --nogpgcheck ./firefox-59.0-3.fc27.x86_64.rpm
...
Package firefox-59.0-3.fc27.x86_64.rpm is not signed
Error: GPG check FAILED


Actual results:

The signature was checked even though I specified --nogpgcheck.

Expected results:

I expected the --nogpgcheck option to skip the checking of GPG signatures on local packages.

Comment 1 Jaroslav Mracek 2018-05-24 20:44:17 UTC
I created a patch (https://github.com/rpm-software-management/dnf/pull/1097) that should solve the issue.

Comment 2 Jaroslav Mracek 2018-06-28 08:15:31 UTC
The issue is solved by dnf-3.0.1-1 that was released into rawhide.


Note You need to log in before you can comment on or make changes to this bug.