Bug 1563841 - --nogpgcheck should override localpkg_gpgcheck=True
Summary: --nogpgcheck should override localpkg_gpgcheck=True
Alias: None
Product: Fedora
Classification: Fedora
Component: dnf
Version: 27
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Jaroslav Mracek
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-04 21:03 UTC by Robin A. Meade
Modified: 2018-06-28 08:15 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-06-28 08:15:31 UTC
Type: Bug

Attachments (Terms of Use)

Description Robin A. Meade 2018-04-04 21:03:25 UTC
Description of problem:

In /etc/dnf/dnf.conf, I set the localpkg_gpgcheck to True to prevent unwittingly installing unsigned packages. The --nogpgcheck command line option should allow me to explicitly override this behavior when desired, but it has no effect. DNF still checks the signature and prevents me from installing unsigned packages.

Version-Release number of selected component (if applicable):

Fedora 27
dnf 2.7.5

Steps to Reproduce:

Check that the localpkg_gpgcheck configuration option is documented:

$ man dnf.conf | grep -F localpkg_gpgcheck --after-context=4

      Whether to perform a GPG signature check on local  packages  (packages
      in a file, not in a repositoy). The default is False.

In /etc/dnf/dnf.conf, I set it to true to prevent unwittingly installing unsigned local packages

$ grep -F localpkg_gpgcheck /etc/dnf/dnf.conf

Check that the --nongpgcheck option is documented

$ man dnf | grep -F nogpgcheck --after-context=2
      skip checking GPG signatures on packages

Now  try it. I downloaded a firefox package from koji. (Such packages are unsigned.)

$ sudo dnf install --nogpgcheck ./firefox-59.0-3.fc27.x86_64.rpm
Package firefox-59.0-3.fc27.x86_64.rpm is not signed
Error: GPG check FAILED

Actual results:

The signature was checked even though I specified --nogpgcheck.

Expected results:

I expected the --nogpgcheck option to skip the checking of GPG signatures on local packages.

Comment 1 Jaroslav Mracek 2018-05-24 20:44:17 UTC
I created a patch (https://github.com/rpm-software-management/dnf/pull/1097) that should solve the issue.

Comment 2 Jaroslav Mracek 2018-06-28 08:15:31 UTC
The issue is solved by dnf-3.0.1-1 that was released into rawhide.

Note You need to log in before you can comment on or make changes to this bug.