On 08/11/2017 03:54 PM, Markus Lehtonen wrote:
Wait a moment. If feed signing is enabled, then dnf's "repo_gpgcheck",
and "gpgkey" settings should be configured and working by default. You
shouldn't fix them after the fact in the test. Please add the necessary
code to insert_feeds_uris() in package_manager.py.
Do you think it's a safe assumption that all repos configured via PACKAGE_FEED_URIS are signed and with the same key?
We had a discussion on IRC; the problem here is that some of those repos
may be from a 3rd party, or created earlier with different signing
settings. We don't provide configuration support for such a mix of
repositories; if PACKAGE_FEED_SIGN is enabled, then it is assumed that
all of the configured repositories are signed with the provided key. If
someone needs a more intricate configuration, they can have it via a
custom repository indexer recipe, and image creation hooks that
configure dnf to match that.
The alternative (not configuring dnf to check the signatures) is worse:
the repos are signed, but then dnf does not actually verify anything. So
the signing is quietly subverted. This default case should simply work,
and not fail quietly.
Openembedded-core mailing list