Description of problem: (Inspired by #2170878.) Short gpg key ids are easy to spoof and generally should not be used [e.g. 1]. rpm prints them in various messages: warning: google-chrome-stable_current_x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY There is really no point in trying to save a few bytes. Please print at least the "long" 16-digit hash. With the short id the user cannot even reliably look up the key online. In other output, please print the full hash: $ rpm -qi util-linux | rg Signature Signature : RSA/SHA256, Sat 21 Jan 2023 11:02:21 AM CET, Key ID 809a8d7ceb10b464 The full finger print is 6A51BBABBA3D5467B6171221809A8D7CEB10B464 and it is just easier to do verification if the full hash is known. Version-Release number of selected component (if applicable): rpm-4.18.0-10.fc38.x86_64 [1] https://security.stackexchange.com/questions/84280/short-openpgp-key-ids-are-insecure-how-to-configure-gnupg-to-use-long-key-ids-i
Bugs that aren't Fedora specific are best filed upstream. While I generally agree on this, various software actually parses these messages and *will* break if/when changed.
→ https://github.com/rpm-software-management/rpm/issues/2403
Closing for upstream tracking.