Description of problem:
In /etc/dnf/dnf.conf, I set the localpkg_gpgcheck to True to prevent unwittingly installing unsigned packages. The --nogpgcheck command line option should allow me to explicitly override this behavior when desired, but it has no effect. DNF still checks the signature and prevents me from installing unsigned packages.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Check that the localpkg_gpgcheck configuration option is documented:
$ man dnf.conf | grep -F localpkg_gpgcheck --after-context=4
Whether to perform a GPG signature check on local packages (packages
in a file, not in a repositoy). The default is False.
In /etc/dnf/dnf.conf, I set it to true to prevent unwittingly installing unsigned local packages
$ grep -F localpkg_gpgcheck /etc/dnf/dnf.conf
Check that the --nongpgcheck option is documented
$ man dnf | grep -F nogpgcheck --after-context=2
skip checking GPG signatures on packages
Now try it. I downloaded a firefox package from koji. (Such packages are unsigned.)
$ sudo dnf install --nogpgcheck ./firefox-59.0-3.fc27.x86_64.rpm
Package firefox-59.0-3.fc27.x86_64.rpm is not signed
Error: GPG check FAILED
The signature was checked even though I specified --nogpgcheck.
I expected the --nogpgcheck option to skip the checking of GPG signatures on local packages.
I created a patch (https://github.com/rpm-software-management/dnf/pull/1097) that should solve the issue.
The issue is solved by dnf-3.0.1-1 that was released into rawhide.