repo_gpgcheck fails if key is not already imported

[sdherr]

Describe the bug

If your .repo file has specified repo_gpgcheck=1 to check the gpg signature of repo metadata, synchronizing the repo cache fails if the gpg key is not already imported. What it should do instead is install the gpg keys from gpgkey and try again, like gpgcheck does.

Reproduction steps

1. mkdir /tmp/myrepo
2. cd /tmp/myrepo
3. wget some-rpm.rpm
4. createrepo .
5. cd repodata
6. gpg --no-default-keyring --keyring isolated.keyring --full-generate-key # I chose "RSA and RSA" and defaults and "asdf" as the name.
7. gpg --no-default-keyring --keyring isolated.keyring --armor --export asdf > repomd.xml.key
8. gpg --no-default-keyring --keyring isolated.keyring --output repomd.xml.asc --armor --detach-sign repomd.xml

9. cat <<EOF > /etc/yum.repos.d/myrepo.repo  
   [myrepo]  
   baseurl=file:///tmp/myrepo/  
   enabled=0   
   repo_gpgcheck=1  
   gpgkey=file:///tmp/myrepo/repodata/repomd.xml.key  
   EOF
   

10. tdnf install -y --disablerepo=* --enablerepo myrepo some-rpm

Loaded plugin: tdnfrepogpgcheck
Refreshing metadata for: 'myrepo'
repo md signature check: No public key     659 100%
Error: TDNFVerifySignature 2004
Plugin error: repogpgcheck plugin error: failed to verify signature

Error(2004) : Unknown error 404
Error: Failed to synchronize cache for repo 'myrepo'
Error(2004) : Unknown error 404

Expected behavior

The installation should succeed. The gpgkey should be read and imported from the gpgkey option, and then checking the metadata signature should work.

Additional context

Tested on tdnf: 3.5.2

[oliverkurth]

Thanks for reporting. I will take a look.

[oliverkurth]

Okay, I can reproduce this.

I think it is not a very big deal though because you can just import the key (gpg --import /path/to/key), and you're good. We can document this behavior.

[sdherr]

That's your call but I maintain that this is a bug that should be fixed. Notably dnf does not do this, it installs the key and proceeds without error. And it's problematic if you are a repo maintainer, not the user, because there's no way to bootstrap users into using your repo by just giving them a repo file if you're using this feature. I could also imagine problems that might arise if your singing key was compromised and you had to migrate to a new one. It's an extra friction point that could be removed.

[JLunda]

I am also encountering this issue on the mcr.microsoft.com/cbl-mariner/base/core:2.0 image when trying to do a simple tdnf -y install (or update) zip, for example. I receive the following error messages before it disables each of the Mariner repos:

 Refreshing metadata for: 'CBL-Mariner Official Base 2.0 x86_64'
2.234 Error: TDNFVerifySignature 2003
2.234 Plugin error: repogpgcheck plugin error: failed to verify result
2.234
2.234 Error(2003) : Unknown error 403
2.234 Error: Failed to synchronize cache for repo 'CBL-Mariner Official Base 2.0 x86_64'    
2.235 Disabling Repo: 'CBL-Mariner Official Base 2.0 x86_64'
2.235 Refreshing metadata for: 'CBL-Mariner Official Microsoft 2.0 x86_64'
2.597 Error: TDNFVerifySignature 2003
2.597 Plugin error: repogpgcheck plugin error: failed to verify result
2.597
2.597 Error(2003) : Unknown error 403
2.598 Disabling Repo: 'CBL-Mariner Official Microsoft 2.0 x86_64'
2.598 Refreshing metadata for: 'CBL-Mariner Official Extras 2.0 x86_64'
2.598 Error: Failed to synchronize cache for repo 'CBL-Mariner Official Microsoft 2.0 x86_64

[sdherr]

@oliverkurth in addition to the whole "not prompting to install the missing key" thing, tdnf-plugin-repogpgcheck seems to use the default root keyring, NOT the same keyring that tdnf or rpm use. So even if tdnf has imported the key before, and even if you've done an rpm --import <key> before, tdnf-plugin-repogpgcheck will still die with that "TDNFVerifySignature 2004" error if you have enabled repo_gpgcheck=1. That seems like another clear bug to me.