I enabled the Cisco H264 repo. Now I always get: $ dnf -C updateinfo Fedora 29 openh264 (From Cisco) - x86_64 1.6 kB/s | 1.6 kB 00:01 Importing GPG key 0x429476B4: Userid : "Fedora 29 (29) <fedora-29>" Fingerprint: 5A03 B4DD 8254 ECA0 2FDA 1637 A20A A56B 4294 76B4 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-29-x86_64 Is this ok [y/N]: whenever I do any operation as a user with `dnf -C` (I have that as an alias, as I want to avoid duplicate caching.) But that key is already imported! I mean, it's the main Fedora 29 GPG key, even: $ rpm -q gpg-pubkey|grep -i 429476B4 gpg-pubkey-429476b4-5a886537 Running DNF as root works fine. Running DNF as a user without -C downloads the cache (even though the root metadata was just updated! -- is that a known bug?) into /var/tmp, and asks for the key, but then does not do that on subsequent runs -- until I do `dnf -C`, and then I'm asked for the key again!!!
Sorry -- I forgot to list dnf version. This persist in dnf-4.0.9-1.fc29.noarch
The key import is the repo key, rather than the rpmdb key, due to the fedora-cisco-openh264 repo having "repo_gpgcheck" enabled by default. The key for repo_gpgcheck is stored in a gpg homedir under /var/cache/dnf/fedora-cisco-openh264-XXXXXXXXXXXXXXXX/pubring/. If I had to guess, when run as a user, dnf can't read that gpg homedir (it can't connect to any running gpg-agent nor start one if needed). It's still strange (and undesirable) that the user is prompted to import it, of course. I don't know how easy this is to resolve, but it would be nice to be able to run 'dnf -C' as a user without these prompts and have any repos which require gpgcheck still work. Currently, whether you say yes or no to the import prompt, dnf follows with "Cache-only enabled but no cache for 'fedora-cisco-openh264'" and "Ignoring repositories: fedora-cisco-openh264." Here's some sample output to illustrate: # As root, dnf lists packages (and will ensure the cache is updated, key imported, etc. $ sudo dnf --disablerepo '*' --enablerepo fedora-cisco-openh264 list available Last metadata expiration check: 0:26:34 ago on Sun 03 Mar 2019 11:47:29 AM EST. Available Packages gstreamer1-plugin-openh264.i686 1.14.2-1.fc29 fedora-cisco-openh264 gstreamer1-plugin-openh264.x86_64 1.14.2-1.fc29 fedora-cisco-openh264 mozilla-openh264.x86_64 1.8.0-2.fc29 fedora-cisco-openh264 openh264.i686 1.8.0-2.fc29 fedora-cisco-openh264 openh264.x86_64 1.8.0-2.fc29 fedora-cisco-openh264 openh264-debugsource.x86_64 1.8.0-2.fc29 fedora-cisco-openh264 openh264-devel.i686 1.8.0-2.fc29 fedora-cisco-openh264 openh264-devel.x86_64 1.8.0-2.fc29 fedora-cisco-openh264 # As user with -C, the repo is ignored (regardless of the answer to the import prompt) $ dnf -C --disablerepo '*' --enablerepo fedora-cisco-openh264 list available Fedora 29 openh264 (From Cisco) - x86_64 1.5 MB/s | 1.6 kB 00:00 Importing GPG key 0x429476B4: Userid : "Fedora 29 (29) <fedora-29>" Fingerprint: 5A03 B4DD 8254 ECA0 2FDA 1637 A20A A56B 4294 76B4 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-29-x86_64 Is this ok [y/N]: n Cache-only enabled but no cache for 'fedora-cisco-openh264' Ignoring repositories: fedora-cisco-openh264 This makes 'dnf -C' mostly unusable if you have repos with repo_gpgcheck enabled, since the answers you'll get from any queries will be excluding those repos. A fix may require changes in libdnf as well, since it looks like much of the repo_gpgcheck handling lives there. Maybe the gpg homedir can be copied from the system cache to the user cache dir so it can be used? A workaround (though I wouldn't really recommend it) is to add '--nogpgcheck' to disable all gpg checking. In combination with 'dnf -C' perhaps it's not terrible, since nothing is being downloaded which wasn't already downloaded and presumably checked when it was added to the system cache.
I think this is a duplicate of #1247644 (dnf --cacheonly wants to import GPG key when using repo_gpgcheck, 2015-07-28).
*** This bug has been marked as a duplicate of bug 1247644 ***