Description of problem: Currently, containers-common adds the Red Hat release key to /etc/pki/rpm-gpg. This behaviour was introduced in: https://src.fedoraproject.org/rpms/containers-common/c/67fd4062 Based on the above commit, the initial purpose of this change was to automatically trust signed Red Hat images. However, its effect is that it changes the default set of trusted keys during RPM transactions. I think it's surprising to have a package about containers do this since RPM keys fall outside the scope of this package's functionality. One suggestion is to move the key to another location and have the software stack look in both /etc/pki/rpm-gpg and the new location when building its keyring. Another suggestion is to add a weak dep to the distribution-gpg-keys package, and either document that if /usr/share/distribution-gpg-keys/redhat is present, it'll be added to the container stack-specific keyring, or let users add the directory themselves in some config file. Version-Release number of selected component (if applicable): All recent versions How reproducible: Always Steps to Reproduce: 1. Install containers-common Actual results: Default global RPM keyring is modified. Expected results: Default global RPM keyring is unmodified. Additional info:
Is there a standard place to put container signing keys that are independent of RPM GPG keys?
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.