Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Install Fedora 32 2. $ sudo bash 3. # dnf download <package> 4. # rpm -K <package> 5. # dnf install <anything> 6. # rpm -K <package> Actual results: First run of rpm reports that digest SIGNATURES NOT OK, while second run with the very same command and file reports digest signatures OK. Expected results: Signatures consistently reported OK or not. Additional info: - Works for any package. - It's the act of dnf install that fixes the problem, so you can install anything! - Found while investigating bug 1853665.
Sorry, forgot to fill in the template. Version: rpm-4.15.1-2.fc32.1.x86_64 Description: SSIA ;-)
The signature verification fails because the public key is not available, "dnf install" imports the key as a part of the process which is why it works afterwards. Whether distro keys are imported on system install or not is not rpm's decision at all (it never imports anything on its own), reassigning to anaconda.
Panu, thanks for the explanation. I asked around and I'm told this is a duplicate of some ancient bug about the same broad issue, but I can't find that bug. So I can't close this one as a duplicate, but I would.
That probably refers to bug 998, but it's not quite the same: it would be possible to verify the signatures during installation without importing the keys to rpmdb (as it would also be possible to import the keys but not actually check).
Changing description to reflect better what this really is, relative to how things are now. (If that's wrong, let's change it more...)
PR with basic idea - probably needs changing into an internal task... https://github.com/rhinstaller/anaconda/pull/2855
Looks like a duplicate of the bug 748320.
PR changed and merged...
*** Bug 748320 has been marked as a duplicate of this bug. ***
(In reply to Panu Matilainen from comment #4) > That probably refers to bug 998, but it's not quite the same: it would be > possible to verify the signatures during installation without importing the > keys to rpmdb (as it would also be possible to import the keys but not > actually check). This comment makes me nervous - I hope that signatures are already verified during installation!?
This message is a reminder that Fedora 32 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '32'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 32 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Seems fixed? Closing.