Warning: Enforcing GPG signature check globally as per active RPM security policy (see ‘gpgcheck’ in dnf.conf(5) for how to squelch this message)

so after apply the lastest updates includes the one for RPM, I’m seeing this

sudo qubes-dom0-update --clean
Using sys-firewall as UpdateVM to download updates for Dom0; this may take some time…
Warning: Enforcing GPG signature check globally as per active RPM security policy (see ‘gpgcheck’ in dnf.conf(5) for how to squelch this message)
33 files removed
Warning: Enforcing GPG signature check globally as per active RPM security policy (see ‘gpgcheck’ in dnf.conf(5) for how to squelch this message)
Fedora 25 - x86_64 - Updates 683 kB/s | 24 MB 00:35
Fedora 25 - x86_64 1.5 MB/s | 50 MB 00:33
Qubes Dom0 Repository (updates) 37 kB/s | 2.0 MB 00:56
determining the fastest mirror (14 hosts)… done…6 kB/s | 2.6 kB 00:00 ETA
Qubes Templates repository 101 B/s | 5.9 kB 00:59
Dependencies resolved.
Nothing to do.
Complete!
No packages downloaded

however, looking in dnf.conf I see NOT how I’m supposed to “squelch” it

Hi @Clodius, the hint dnf.conf(5) refers to a manual page (“man page”), that you can open with:

man dnf.conf

The number in brackets represents the section to which that specific page belongs. Section 5 covers file formats and this specific man page documents the format of the dnf.conf files.

The beginging of the page looks like this:

DNF.CONF(5)                           DNF                          DNF.CONF(5)

NAME
       dnf.conf - DNF Configuration Reference

DESCRIPTION
       DNF  by default uses the global configuration file at /etc/dnf/dnf.conf
       and all *.repo files found under /etc/yum.repos.d. The latter is  typi‐
       cally  used  for  repository  configuration  and  takes precedence over
       global configuration.

       [...]

Further down, you’ll find a section called OPTIONS FOR BOTH [MAIN] AND REPO and in there the documentation for the gpgcheck option that the error message suggests you to read :slightly_smiling_face:

Edit to add: if you want to search a term in the page, you can usually type /term (e.g. /gpgcheck) and press n or N to jump to the previous or next occurrence of the term in the page.

thanks for the response, however my supercow powers are NOT so great,
reading repo options-> gpgkey ; doesn’t get me, personally, any closer, to what is expected behaviour and what I’m to do if I’m supposed to ‘squelch’ the message.

   gpgkey list of strings

          URLs of a GPG key files that can be used for signing metadata and packages of this repository, empty by default. If a file can not be verified using the  already  imported
          keys, import of keys from this option is attempted and the keys are then used for verification.

this seems to have come about after qubes-secpack/QSBs/qsb-067-2021.txt at master · QubesOS/qubes-secpack · GitHub

After installing the updates in dom0, it is necessary to install updates
in Fedora-based TemplateVMs and StandaloneVMs. This can be
done via the Qubes Update tool [4] or using qubesctl (salt) as follows:

$ sudo qubesctl --skip-dom0 --templates state.sls update.qubes-vm

After installing the updates in dom0, it is necessary to install updates
in Fedora-based TemplateVMs and StandaloneVMs. This can be
done via the Qubes Update tool [4] or using qubesctl (salt) as follows:

$ sudo qubesctl --skip-dom0 --templates --standalones state.sls update.qubes-vm
actually fails FWIW.

maybe its more of a fedora error message, that I might look up elsewhere, but was asking here.
seems to be something simliar going on in Fed33 templates for this person

These are maybe result of recent RPM hardening by Demi Marie :thinking:
And nss issue has already been resolved.

ah ok, I *also see the “Warning” in the Fed33 Template, just had been using the gear Icon, and not doing the sudo dnf update in a terminal.

so its in both dom0 and the Fedora templates, if its fine to just ignore it, it would be good to know ..
*Coincidentally the latest update seems to reference/install a package fedora-gpg-keys, maybe this will solve it, but there *is a run of "404s", though seems to install normally otherwise, hmm
during the update I *did notice this:

`[user@fedora-33 ~]$ sudo dnf update
Warning: Enforcing GPG signature check globally as per active RPM security policy (see 'gpgcheck' in dnf.conf(5) for how to squelch this message)
Fedora Modular 33 - x86_64 - Updates                                                                                                                                                                           12 kB/s |  24 kB     00:02    
Fedora Modular 33 - x86_64 - Updates                                                                                                                                                                          9.1 kB/s |  45 kB     00:04    
Fedora 33 - x86_64 - Updates                                                                                                                                                                                  8.8 kB/s |  14 kB     00:01    
Fedora 33 - x86_64 - Updates                                                                                                                                                                                  196 kB/s | 2.6 MB     00:13    
Last metadata expiration check: 0:00:01 ago on Fri Apr 9
Dependencies resolved.
==============================================================================================================================================================================================================================================
 Package                                                           Architecture                                       Version                                                       Repository                                           Size
==============================================================================================================================================================================================================================================
Upgrading:
 fedora-gpg-keys                                                   noarch                                             33-4                                                          updates                                             111 k
 fedora-repos                                                      noarch                                             33-4                                                          updates                                              11 k
 fedora-repos-modular                                              noarch                                             33-4                                                          updates                                              10 k
 grilo-plugins                                                     x86_64                                             0.3.13-1.fc33                                                 updates                                             1.0 M
 gtk-update-icon-cache                                             x86_64                                             3.24.28-2.fc33                                                updates                                              33 k
 gtk3                                                              x86_64                                             3.24.28-2.fc33                                                updates                                             4.7 M
 hwdata                                                            noarch                                             0.346-1.fc33                                                  updates                                             1.5 M

Transaction Summary
==============================================================================================================================================================================================================================================
Upgrade  7 Packages

Total download size: 7.4 M
Is this ok [y/N]: y
Downloading Packages:
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp.acc.umu.se/mirror/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                           
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp.acc.umu.se/mirror/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                           
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp.acc.umu.se/mirror/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                     
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.acc.umu.se/mirror/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                            
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.acc.umu.se/mirror/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                            
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.acc.umu.se/mirror/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                      
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp.icm.edu.pl/pub/Linux/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                        
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp.icm.edu.pl/pub/Linux/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                  
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp.icm.edu.pl/pub/Linux/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                        
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.icm.edu.pl/pub/Linux/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                         
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.icm.edu.pl/pub/Linux/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                         
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.icm.edu.pl/pub/Linux/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                   
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for http://mirror2.hs-esslingen.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                    
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for http://mirror2.hs-esslingen.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                          
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for https://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)      
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)       
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for http://mirror2.hs-esslingen.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                          
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for https://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp.lysator.liu.se/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                    
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp.lysator.liu.se/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                          
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for https://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)            
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.lysator.liu.se/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                           
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.lysator.liu.se/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                     
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)             
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp-stud.hs-esslingen.de/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                              
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp-stud.hs-esslingen.de/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                    
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp.lysator.liu.se/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                          
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp-stud.hs-esslingen.de/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                               
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp-stud.hs-esslingen.de/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                     
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.lysator.liu.se/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                           
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp-stud.hs-esslingen.de/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                    
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.fi.muni.cz/pub/linux/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                         
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.fi.muni.cz/pub/linux/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                   
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp-stud.hs-esslingen.de/pub/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                     
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for http://mirror.nl.leaseweb.net/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                           
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for http://mirror.nl.leaseweb.net/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                     
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.fi.muni.cz/pub/linux/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                         
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for http://mirror.dogado.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                 
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for http://mirror.nl.leaseweb.net/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                           
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for http://mirror.dogado.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                           
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for https://mirror.dogado.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for https://mirror.dogado.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                          
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for http://mirror.dogado.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                                 
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.halifax.rwth-aachen.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                       
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for https://mirror.dogado.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                                
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.halifax.rwth-aachen.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                 
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp.halifax.rwth-aachen.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                      
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp.halifax.rwth-aachen.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for http://ftp.halifax.rwth-aachen.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                       
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for https://ftp.halifax.rwth-aachen.de/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                      
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for https://www.fedora.is/fedora/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                         
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for https://www.fedora.is/fedora/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                                   
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for https://www.fedora.is/fedora/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                                         
[MIRROR] fedora-repos-modular-33-3_33-4.noarch.drpm: Status code: 404 for http://fedora.tu-chemnitz.de/pub/linux/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-modular-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                  
[MIRROR] fedora-gpg-keys-33-3_33-4.noarch.drpm: Status code: 404 for http://fedora.tu-chemnitz.de/pub/linux/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-gpg-keys-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                            
[MIRROR] fedora-repos-33-3_33-4.noarch.drpm: Status code: 404 for http://fedora.tu-chemnitz.de/pub/linux/fedora/linux/updates/33/Everything/x86_64/drpms/fedora-repos-33-3_33-4.noarch.drpm (IP: 127.0.0.1)                                  
(1/7): fedora-repos-modular-33-3_33-4.noarch.drpm                                                                                                                                                             208  B/s | 7.7 kB     00:37    
(2/7): fedora-gpg-keys-33-3_33-4.noarch.drpm                                                                                                                                                                  1.0 kB/s |  38 kB     00:38    
[DRPM 1/3] fedora-repos-modular-33-3_33-4.noarch.drpm: done                                                                                                                                                                                  
(3/7): fedora-repos-33-3_33-4.noarch.drpm                                                                                                                                                                     209  B/s | 8.0 kB     00:39    
[DRPM 2/3] fedora-gpg-keys-33-3_33-4.noarch.drpm: done                                                                                                                                                                                       
(4/7): gtk-update-icon-cache-3.24.28-2.fc33.x86_64.rpm                                                                                                                                                         16 kB/s |  33 kB     00:02    
(5/7): grilo-plugins-0.3.13-1.fc33.x86_64.rpm                                                                                                                                                                 292 kB/s | 1.0 MB     00:03    
(6/7): hwdata-0.346-1.fc33.noarch.rpm                                                                                                                                                                         416 kB/s | 1.5 MB     00:03    
(7/7): gtk3-3.24.28-2.fc33.x86_64.rpm                                                                                                                                                                         731 kB/s | 4.7 MB     00:06    
[DRPM 3/3] fedora-repos-33-3_33-4.noarch.drpm: done                                                                                                                                                                                          
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                         155 kB/s | 7.3 MB     00:48     
Delta RPMs reduced 7.4 MB of updates to 7.3 MB (1.1% saved)
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                      1/1 
  Upgrading        : gtk-update-icon-cache-3.24.28-2.fc33.x86_64                                                                                                                                                                         1/14 
  Upgrading        : fedora-gpg-keys-33-4.noarch                                                                                                                                                                                         2/14 
  Upgrading        : fedora-repos-33-4.noarch                                                                                                                                                                                            3/14 
  Upgrading        : fedora-repos-modular-33-4.noarch                                                                                                                                                                                    4/14 
  Upgrading        : gtk3-3.24.28-2.fc33.x86_64                                                                                                                                                                                          5/14 
  Upgrading        : hwdata-0.346-1.fc33.noarch                                                                                                                                                                                          6/14 
  Upgrading        : grilo-plugins-0.3.13-1.fc33.x86_64                                                                                                                                                                                  7/14 
  Cleanup          : fedora-repos-modular-33-3.noarch                                                                                                                                                                                    8/14 
  Cleanup          : fedora-repos-33-3.noarch                                                                                                                                                                                            9/14 
  Cleanup          : gtk3-3.24.28-1.fc33.x86_64                                                                                                                                                                                         10/14 
  Cleanup          : fedora-gpg-keys-33-3.noarch                                                                                                                                                                                        11/14 
  Cleanup          : hwdata-0.345-1.fc33.noarch                                                                                                                                                                                         12/14 
  Cleanup          : gtk-update-icon-cache-3.24.28-1.fc33.x86_64                                                                                                                                                                        13/14 
  Cleanup          : grilo-plugins-0.3.12-2.fc33.x86_64                                                                                                                                                                                 14/14 
  Running scriptlet: grilo-plugins-0.3.12-2.fc33.x86_64                                                                                                                                                                                 14/14 
  Verifying        : fedora-gpg-keys-33-4.noarch                                                                                                                                                                                         1/14 
  Verifying        : fedora-gpg-keys-33-3.noarch                                                                                                                                                                                         2/14 
  Verifying        : fedora-repos-33-4.noarch                                                                                                                                                                                            3/14 
  Verifying        : fedora-repos-33-3.noarch                                                                                                                                                                                            4/14 
  Verifying        : fedora-repos-modular-33-4.noarch                                                                                                                                                                                    5/14 
  Verifying        : fedora-repos-modular-33-3.noarch                                                                                                                                                                                    6/14 
  Verifying        : grilo-plugins-0.3.13-1.fc33.x86_64                                                                                                                                                                                  7/14 
  Verifying        : grilo-plugins-0.3.12-2.fc33.x86_64                                                                                                                                                                                  8/14 
  Verifying        : gtk-update-icon-cache-3.24.28-2.fc33.x86_64                                                                                                                                                                         9/14 
  Verifying        : gtk-update-icon-cache-3.24.28-1.fc33.x86_64                                                                                                                                                                        10/14 
  Verifying        : gtk3-3.24.28-2.fc33.x86_64                                                                                                                                                                                         11/14 
  Verifying        : gtk3-3.24.28-1.fc33.x86_64                                                                                                                                                                                         12/14 
  Verifying        : hwdata-0.346-1.fc33.noarch                                                                                                                                                                                         13/14 
  Verifying        : hwdata-0.345-1.fc33.noarch                                                                                                                                                                                         14/14 
Notifying dom0 about installed applications

Upgraded:
  fedora-gpg-keys-33-4.noarch   fedora-repos-33-4.noarch   fedora-repos-modular-33-4.noarch   grilo-plugins-0.3.13-1.fc33.x86_64   gtk-update-icon-cache-3.24.28-2.fc33.x86_64   gtk3-3.24.28-2.fc33.x86_64   hwdata-0.346-1.fc33.noarch '

Hi @Clodius ,
please, fix the look of your previous post, for doing this, the markdown syntax is
```
here your preformated text output
```

Thanks

2 Likes

@Clodius I think you looked up the wrong option in the manual page, it’s gpgcheck that’s mentioned in the warning message, not gpgkey. The gpgcheck entry reads as follows:

       gpgcheck
              boolean

              Whether to perform GPG signature check on packages found in this repository.  The default is False.

              This  option can only be used to strengthen the active RPM security policy set with the %_pkgverify_level macro (see the /usr/lib/rpm/macros
              file for details).  That means, if the macro is set to 'signature' or 'all' and this option is False, it will be overridden to  True  during
              DNF  runtime,  and  a warning will be printed.  To squelch the warning, make sure this option is True for every enabled repository, and also
              enable localpkg_gpgcheck.

To me, the docs seem to suggest that the warning you see is printed because:

  1. some of the DNF/Yum repositories that are enabled in your dom0 are not configured to perform GPG signature checks
  2. and a security policy is set to enable GPG signature checks across all repositories anyway

Until we know more, it seems fair to assume that 2. is true. How to investigate if the hypothesis 1. is correct?

The configuration for the DNF/Yum repositories is stored in the /etc/yum.repos.d directory. The directory contains multiple files, and each file defines one or more repositories. The configuration for each repository should contain the line gpgcheck=1.

You can review each file one by one, or print the content of all the files at once with the following command and read through the list:

cat /etc/yum.repos.d/*.repo # print all the repo config files at once

# "cat" is a command that concatenates files (it doesn't modify them, only prints the result)
# the "*.repo" pattern will match all files in the directory, which name ends in ".repo" 

The configuration for a DNF/Yum repository looks like this example (note how the second-last line is gpgcheck=1):

[fedora]
name=Fedora 32 - x86_64
failovermethod=priority
#baseurl=http://download.fedoraproject.org/pub/fedora/linux/releases/32/Everything/x86_64/os/
metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-32&arch=x86_64
enabled=1
enablegroups=0
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-32-primary

If you find a repository without the gpgcheck=1 line, you’ve probably found the cause of the warning. If every single repository in that directory is configured with gpgcheck=1 then we’ll have to look further. :slightly_smiling_face:


To @ludovic’s point above, when you post pieces of code or terminal output, please remember marking them as preformatted text using either the </> button in the toolbar or ``` on the line before and the line after the block of code. It makes it a lot easier to read!

The warning comes from localpkg_gpgcheck not being set to 1 in /etc/dnf/dnf.conf; it will be displayed on every invocation of dnf. This is the other case that will match #1.

When I am sure and it denies an installation, I download the rpm and runs it with sudo rpm -ivh --nosignature rpmfile.rpm

as far as I can see everything is set to =1 in both /dnf.conf and /yum.repos.d/*.repo
so any other ideas ? ( maybe I should remove the spaces before and after ‘=’ ?

$ cat /etc/yum.repos.d/*.repo|grep gpgcheck
gpgcheck=1
gpgcheck=1
gpgcheck=1
gpgcheck=1
gpgcheck=1
gpgcheck=1
gpgcheck = 1
gpgcheck = 1
gpgcheck = 1
gpgcheck = 1
gpgcheck = 1
gpgcheck = 1
gpgcheck = 1
gpgcheck = 1
[k@dom0 ~]$ cat /etc/dn
dnf/          dnsmasq.conf  dnsmasq.d/    
[k@dom0 ~]$ cat /etc/dnf/dnf.conf
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
### QUBES BEGIN ###
# This part of configuration, until QUBES END, is automatically generated by
# /usr/lib/qubes/patch-dnf-yum-config. All changes here will be overriden.
# If you want to override any option set here, set it again to desired value,
# below this section

reposdir=/etc/yum.real.repos.d
installonlypkgs = kernel, kernel-qubes-vm
### QUBES END ###

maybe I should remove the spaces before and after ‘=’ ?

everything is set to =1 in those repos, in case this flags you.

Hi @Clodius,

  1. I suppose you’ve inspected all the repo definitions? If you filter the output using grep gpgcheck, you’ll only see the lines where the option was set, but may miss the fact that some repos may not define the option at all (which is equivalent to being False).

    In other words, the output of your grep command confirms that the option was set 14 times, but may be misleading if you have more than 14 repo definitions, or some repo set it twice. Does this make sense? (You don’t need to post the output of all your repos, just make sure you read through them.)

  2. Assuming you have exactly 14 repo definitions and gpgcheck is indeed enabled in all of them, I’d move on to verify the condition on localpkg_gpgcheck (reminder: it’s the second condition that’s mentioned in the man page). @icequbes1 suggests that option should be set in the DNF configuration file. (I’m not quite sure myself.)

    From your post, I see that yours sets gpgcheck, not localpkg_gpgckeck, is that intentional?


Note: the easiest way to get someone notified of a post (for example, me) is to mention them: @gonzalo-bulnes : )

gpgcheck can be set globally (in [main] of dnf.conf) or per repository.
Removing spaces is correct.

      gpgcheck
              boolean

              Whether to perform GPG signature check on packages found in this repository.  The default is False.

              This  option can only be used to strengthen the active RPM security policy set with the %_pkgverify_level macro (see the /usr/lib/rpm/macros
              file for details).  That means, if the macro is set to 'signature' or 'all' and this option is False, it will be overridden to  True  during
              DNF  runtime,  and  a warning will be printed.  To squelch the warning, make sure this option is True for every enabled repository, and also
              enable localpkg_gpgcheck.

Note the specific instructions on squelching the warning, and why it
arises.

You need to check the manpage in the qube you are using for dom0 updates
(likely Fedora 33 based), not in dom0.

@gonzalo-bulnes

so, per unman, i’m now in sys-firewall looking at dnf.conf

this is what I see

[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=False
skip_if_unavailable=True

shall I add a line after gpgcheck=1 like
localpkg_gpgcheck=1

?

nothing intentional, I simply updated as instructed after the last alert regarding a major RPM problem that required template reinstallation or so.

PS in sys-firewall /etc/yum.repos.d/ every repo has a gpgcheck=1


in dom0 /etc/yum.repos.d/ there still remains the spaces 4 repos and even repo_gpgcheck=0 in all repos

gpgcheck = 1
gpgcheck = 1
gpgcheck = 1
gpgcheck = 1
gpgcheck=1
repo_gpgcheck=0
gpgcheck=1

however @unman seems to be saying this is irrelevant and *only sys-firewall (my updatevm) matters

fwiw dom0 dnf.conf looks like this

[user@fedora-33 dnf]$ cat dnf.conf
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=False
skip_if_unavailable=True

or perhaps what was being said *was, check the man page of the updatevm, but the changes should be done in dom0 eg adding localpkg_gpgcheck=1 and *not removing the existing gpgcheck=1 ?

and/or removing the dom0 spaces as references earlier.

Yes, that was what I intended.
No one had made it clear that it is the manpage in the updateVM that is
important, but it is the configuration in dom0 that has to be fixed.

The configuration in dom0 says what should be done.
This information is passed to the updateVM, and the updateVM says
how it will be done.

If the updateVM sees what it thinks is a misconfiguration in the
what, it reports an error or a warning, and you see this in dom0.

In this case the updateVM is reporting a warning, not an error. It
tells you how to squelch the warning. Because that advice comes from the
updateVM you must look at the manpage in the UpdateVM to see the
advice. Then you must apply that advice in dom0.

SO, remove the spaces in dom0, and apply the suggested changes there.

sadly adding,
localpkg_gpgcheck=1
to either or both

dnf.conf or the 4 repos in /etc/yum.repos.d/ does not eliminate the warnings

I went on to removing the spaces but noted the entire qubes-dom0.repo , every line has spaces, so bit fearful of breaking the machine and/or forgetting whats been changed in all the .configs

time for me to give up ; sigh ; thanks anyway

This is the correct answer, and works for me and other users.