@Clodius I think you looked up the wrong option in the manual page, it’s
gpgcheck that’s mentioned in the warning message, not
gpgcheck entry reads as follows:
Whether to perform GPG signature check on packages found in this repository. The default is False.
This option can only be used to strengthen the active RPM security policy set with the %_pkgverify_level macro (see the /usr/lib/rpm/macros
file for details). That means, if the macro is set to 'signature' or 'all' and this option is False, it will be overridden to True during
DNF runtime, and a warning will be printed. To squelch the warning, make sure this option is True for every enabled repository, and also
To me, the docs seem to suggest that the warning you see is printed because:
- some of the DNF/Yum repositories that are enabled in your dom0 are not configured to perform GPG signature checks
and a security policy is set to enable GPG signature checks across all repositories anyway
Until we know more, it seems fair to assume that 2. is true. How to investigate if the hypothesis 1. is correct?
The configuration for the DNF/Yum repositories is stored in the
/etc/yum.repos.d directory. The directory contains multiple files, and each file defines one or more repositories. The configuration for each repository should contain the line
You can review each file one by one, or print the content of all the files at once with the following command and read through the list:
cat /etc/yum.repos.d/*.repo # print all the repo config files at once
# "cat" is a command that concatenates files (it doesn't modify them, only prints the result)
# the "*.repo" pattern will match all files in the directory, which name ends in ".repo"
The configuration for a DNF/Yum repository looks like this example (note how the second-last line is
name=Fedora 32 - x86_64
If you find a repository without the
gpgcheck=1 line, you’ve probably found the cause of the warning. If every single repository in that directory is configured with
gpgcheck=1 then we’ll have to look further.
To @ludovic’s point above, when you post pieces of code or terminal output, please remember marking them as preformatted text using either the </> button in the toolbar or ``` on the line before and the line after the block of code. It makes it a lot easier to read!