View Issue Details

IDProjectCategoryView StatusLast Update
0018068CentOS-8generalpublic2021-02-17 14:06
ReporterDavidJohnston Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status confirmedResolutionopen 
Product Version8.3.2011 
Summary0018068: DNF handles repo_gpgcheck=1 incorrectly.
DescriptionDNF handles repo_gpgcheck=1 incorrectly.
DNF should use GPG for key management. GPG is designed for the task.
DNF repo_gpgcheck should check the signature against keys in the user's keyring, or in a system keyring.
DNF currently manages keys itself, and does so in ways that are arguably unsafe.


I see 3 issues with the current behavior:
1. dnf stores a separate copy of the key for each repo in the cache
2. dnf -y update will add keys without prompting the user
3. clearing the dnf cache drops the keys, exposing the system to?

Steps To ReproduceSTEPS TO REPRODUCE (USE CASE 1)
### Note that in this example, all four repos are signed with the same key.
### All commands are run as root in this example.
# dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools
# dnf update
## RESULT: Operator is asked to accept the key 4 times, waiting for each repo to load.
## RESULT: This wastes operator time and makes automation difficult


STEPS TO REPRODUCE (USE CASE 2)
### Clear the cache for this test
# rm -Rf /var/cache/dnf/* /var/cache/dnf/.gpgkeyschecked.yum
# dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools
# dnf -y update
## RESULT: DNF accepts the keys without prompting


STEPS TO REPRODUCE (USE CASE 3)
### Set up the test
# rm -Rf /var/cache/dnf/* /var/cache/dnf/.gpgkeyschecked.yum
# dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools
# dnf -y update
### Demonstrate that dnf has the keys (should not prompt the user):
# dnf update
### The real test starts here. An operator has deleted the cache for some reason.
# rm -Rf /var/cache/dnf/*
# dnf update
## RESULT: DNF prompts the user to accept the same key 4 times.

Additional Informationdnf stores the gpg keys under /var/cache/dnf, for example:
 /var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg
 /var/cache/dnf/powertools-25a6a2b331e53e98/pubring/trustdb.gpg
 /var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg
 /var/cache/dnf/appstream-a520ed22b0a8a736/pubring/trustdb.gpg
TagsNo tags attached.

Activities

jcpunk

jcpunk

2021-02-17 14:06

manager   ~0038251

Bug verified, forwarded upstream : https://bugzilla.redhat.com/show_bug.cgi?id=1929728

Issue History

Date Modified Username Field Change
2021-02-15 18:27 DavidJohnston New Issue
2021-02-17 01:08 toracat Status new => acknowledged
2021-02-17 14:06 jcpunk Status acknowledged => confirmed
2021-02-17 14:06 jcpunk Note Added: 0038251