Fedora-34: (package).rpm is not signed

Attempting to install interface/support apps for my Digilent ANALOG-Discovery2 USB multi-function test instrument.
In a Fedora-34 template:
Tried installing Digilent ‘Adept Runtime’ rpm & I get this error:
“Package digilent.adept.runtime-2.21-3.x86_64 is not signed
Error: GPG check FAILED”
Tried setting gpgcheck=0 in dnf.conf, and also the ‘–nogpgcheck’ option w/dnf command, no help. Can’t install WAVEFORMS app until I get Adept Runtime up.
What am I doing wrong, and/or what do I need to do right?
Help help I’m being repressed.

This is due to a security mitigation described in QSB-067: Multiple RPM vulnerabilities | Qubes OS

The solution is also described in that post:

Side effects

The mitigation forces signature verification in RPM regardless of other
options. This means that RPM will refuse to install packages that are
unsigned (or signed with an untrusted signature), even when explicitly
requested to do so. This breaks use cases such as installing
locally-built packages and installing manually-downloaded packages the
integrity of which was verified separately (which is often the case for
closed-source software).

In such cases, neither `dnf install /path/to/the/package.rpm` nor `rpm
-i /path/to/the/package.rpm` will work any longer. Instead, to install a
package without a trusted signature (that has been verified by other
means), use the following command:

    rpm --define '_pkgverify_level digest' -i /path/to/the/package.rpm

If the package has any dependencies, the above command will list them,
and they will have to be installed with `dnf` manually.

Thanks immensely Deeplow,
The rpm --define . . . command string in your response produced two dependencies:
Once satisfied, the Adept runtime, then the WAVEFORMS interface app installed cleanly.

1 Like

You’re welcome!