On 08/11/2017 03:54 PM, Markus Lehtonen wrote:

     Wait a moment. If feed signing is enabled, then dnf's "repo_gpgcheck",
     and "gpgkey" settings should be configured and working by default. You
     shouldn't fix them after the fact in the test. Please add the necessary
     code to insert_feeds_uris() in package_manager.py.
Do you think it's a safe assumption that all repos configured via PACKAGE_FEED_URIS are signed and with the same key?

We had a discussion on IRC; the problem here is that some of those repos may be from a 3rd party, or created earlier with different signing settings. We don't provide configuration support for such a mix of repositories; if PACKAGE_FEED_SIGN is enabled, then it is assumed that all of the configured repositories are signed with the provided key. If someone needs a more intricate configuration, they can have it via a custom repository indexer recipe, and image creation hooks that configure dnf to match that.

The alternative (not configuring dnf to check the signatures) is worse: the repos are signed, but then dnf does not actually verify anything. So the signing is quietly subverted. This default case should simply work, and not fail quietly.

Openembedded-core mailing list

Reply via email to