Description of problem: When repo_gpgcheck is globally enabled in /etc/yum.conf, this is inherited by the EPEL repo configuration(s) despite the fact that the EPEL repos do not support it. This causes a blocking issue after installing the epel-release package. Version-Release number of selected component (if applicable): epel-release-9-4.el9.src.rpm How reproducible: always Steps to Reproduce: 1. Start with a base RedHat / CentOS / Rocky installation 2. echo 'repo_gpgcheck=1' >> /etc/yum.conf 3. dnf install epel-release 4. dnf search some_package Actual results: ... Errors during downloading metadata for repository 'epel': - Status code: 404 for .../repodata/repomd.xml.asc... Error: Failed to download metadata for repo 'epel': GPG verification is enabled, but GPG signature is not available. This may be an error or the repository does not support GPG verification: Status code: 404 for .../repodata/repomd.xml.asc Expected results: ... No matches found. Additional info: This is easily fixed by simply adding the following to /etc/yum.repos.d/epel.conf in each block as appropriate. repo_gpgcheck=0 ...seeing as the EPEL repos don't support this, I think it's preferable to override the globally-configured flag and succeed rather than accept failure.
This sounds reasonable and fairly easy to do.
There is something else I think we should consider. If we make this change, a user could set repo_gpgcheck=1 globally and believe they have repodata signature checking for all repos when they do not. We would be hiding that error message from them. With the current config, they would get the error you mentioned, highlighting which repos do not offer signed repodata. That guides users to set repo_gpgcheck at the repo level where it makes more sense, rather than globally.
That also is a very good point. If I keep flipping back and forth ... I'm not being very helpful here. :)