2439694 – GNOME Software prompts to import GPG key on first launch

Bug 2439694 - GNOME Software prompts to import GPG key on first launch

Summary: GNOME Software prompts to import GPG key on first launch

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gnome-software
Sub Component:
Version:	44
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Milan Crha
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2439688 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-13 15:17 UTC by lpavan
Modified:	2026-02-16 13:32 UTC (History)
CC List:	9 users (show)
Fixed In Version:	gnome-software-50~beta-6
Clone Of:
Environment:
Last Closed:	2026-02-16 12:29:55 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
GNOME Software asking to import a key (1.79 MB, image/png) 2026-02-13 15:18 UTC, lpavan	no flags	Details
View All

Description lpavan 2026-02-13 15:17:45 UTC

Upon performing a fresh installation of Fedora 44 (Workstation Pre-release) and launching GNOME Software for the first time, a modal dialog appears titled "Import Key". The dialog asks "Do you want to import key 6D9F90A6?" with details pointing to a key located at `/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-44-x86_64`.

This key seems to be part of the default installation and should be implicitly trusted. Requiring the user to manually verify and import the official distribution key via a GUI pop-up is a regression/bug that creates friction for new users.

Reproducible: Always

Steps to Reproduce:
1. Install a fresh instance of Fedora 44 Workstation (Pre-release).
2. Complete the initial setup (user creation, etc.).
3. Open the "Software" (gnome-software) app.
4. Observe the prompt that appears.

Actual Results:
An "Import Key" dialog appears requiring manual user intervention to trust a GPG key.

Expected Results:
GNOME Software should open without prompting for repository keys, as these should be trusted by default in a standard Fedora installation.

Key information:
- Key user: "Fedora (44) <fedora-44-primary>"
- Fingerprint: 36F6 12DC F27F 7D1A 48A8 35E4 DBFC F71C 6D9F 90A6
- From: /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-44-x86_64

GNOME Software issue (closed):
https://gitlab.gnome.org/GNOME/gnome-software/-/issues/2874

Comment 1 lpavan 2026-02-13 15:18:40 UTC

Created attachment 2129370 [details]
GNOME Software asking to import a key

Comment 2 Milan Crha 2026-02-16 11:08:52 UTC

The problem is that the dnf5 daemon reports the key coming 'from_repo_id': <'8791fdcd77de4fc7889843ec6b74d21c'> , while it cannot find this repository, because it does not exist any more. It remembers it is installed from `@System` repository.

When the keys are updated later on, like when moving from one version to another, the information can be more "accurate". In a rawhide machine I've here it says: 'from_repo_id': <'rawhide'> , and there exists such repository.

It seems I cannot configure an `@System` repository myself, thus I guess I can treat such repos as "fine to import the key from" and auto-accept key import requests for keys from such repositories. Unfortunately, packages installed from command line identify "from_repo_id" as "@commandline" and the "repo_id" as "@System", thus checking only the repo_id on its own won't work well for the heuristic.

I do not see any better way than to accept "@System" only if not being "@commandline" at the same time. It can be extended in the future, if needed.

Comment 3 Milan Crha 2026-02-16 12:29:55 UTC

Fixed/changed by https://gitlab.gnome.org/mcrha/gnome-software/-/commit/8023c8ca81d81640fd00ed587c4bed6f52391bcd , to be included in the next build.

Comment 4 Milan Crha 2026-02-16 13:32:55 UTC

*** Bug 2439688 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.