Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1814671

Summary: include gpg of cisco repo
Product: [Fedora] Fedora Reporter: Vladimir Benes <vbenes>
Component: fedora-reposAssignee: Mohan Boddu <mboddu>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 32CC: awilliam, dennis, dgilmore, dustymabe, fzatlouk, kellin, kevin, klember, kparal, mastyk, mboddu, mcatanza, ngompa13, pbrobinson, robatino, thrcka
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: fedora-repos-32-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-13 21:28:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1705305    
Attachments:
Description Flags
dnf-output none

Description Vladimir Benes 2020-03-18 13:56:47 UTC
Description of problem:
to continue this:
https://bugzilla.redhat.com/show_bug.cgi?id=1814596

is there any reason why we don't have gpg key of cisco repo bundled together with other fedora repos? We have GPG keys back to fedora 7 included in the package (why??) but we don't have the cisco one. 
Once a user installs the system it's needed to approve the gpg over a network. This is just breaking the smooth user experience.

Version-Release number of selected component (if applicable):
fedora-repos-32-0.7

Comment 1 Martin Styk 2020-03-18 14:03:32 UTC
Created attachment 1671067 [details]
dnf-output

Attached how it looks like w/ clean installation via ISO.
This is not really nice user experience if we have to accept the GPG key for CISCO repo. Why this repo is not handled as rest if it should be enabled by default.

Comment 2 Mohan Boddu 2020-03-18 14:47:05 UTC
openh264 rpms are signed with their respective fedora release gpg key, for example, https://src.fedoraproject.org/rpms/fedora-repos/blob/f32/f/fedora-cisco-openh264.repo#_10 uses Fedora 32 gpg key. We need to set "repo_gpgcheck = 0" to not to perform gpg check on repodata which makes it go away. I am not sure why it was set in first place as it predates me, maybe we can ask fedora-workstation guys.

Comment 3 Mohan Boddu 2020-03-18 16:18:12 UTC
The right fix for this issue is fixing other bz bug https://bugzilla.redhat.com/show_bug.cgi?id=1768206

Comment 4 Dennis Gilmore 2020-03-18 18:41:12 UTC
Ther reason that "repo_gpgcheck = 1" is set because it does not use mirrormanager it could be subject to man in the middle attacks and so we need to verify that the repodata is provided by fedora.

Comment 5 Michael Catanzaro 2020-03-20 13:30:56 UTC
Asking whether to import a GPG key from a *Fedora-packaged source* is already a mistake. That's just training users to ignore GPG key prompts. I don't even think about them anymore before I habitually enter y for yes....

Comment 6 Dusty Mabe 2020-03-20 16:15:32 UTC
After talking with Mohan, my understanding is that key that is used for the cisco repo is the same exact key that is used for the rest of Fedora 32 so the key is already local to the system. The "problem" is that there is a bug in DNF which doesn't properly detect the key and prompts the user anyway: https://bugzilla.redhat.com/show_bug.cgi?id=1768206#c5

If the above is correct then this bug should be closed since the gpg key for the cisco repo is already included as requested.

Comment 7 Martin Styk 2020-03-20 16:40:00 UTC
Right Dusty,..

In my opinion, DNF patch has to be introduced into Fedora 32. User experience is terrible if you will ask to add new GPG key on first DNF operation, even when user didn't touch OS.

Comment 8 Neal Gompa 2020-03-20 21:11:43 UTC
(In reply to Martin Styk from comment #7)
> Right Dusty,..
> 
> In my opinion, DNF patch has to be introduced into Fedora 32. User
> experience is terrible if you will ask to add new GPG key on first DNF
> operation, even when user didn't touch OS.

That already happens today anyway. We haven't been preloading the imported key for a while now.

Comment 9 Fedora Update System 2020-04-09 21:33:40 UTC
FEDORA-2020-e78e1f678b has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e78e1f678b

Comment 10 Adam Williamson 2020-04-09 21:36:05 UTC
Transferring F32 Final release blocker status here from https://bugzilla.redhat.com/show_bug.cgi?id=1768206 , as explained in https://bugzilla.redhat.com/show_bug.cgi?id=1768206#c29 .

Comment 11 Fedora Update System 2020-04-10 03:32:20 UTC
FEDORA-2020-2d37e7879c has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-2d37e7879c

Comment 12 FrantiĊĦek Zatloukal 2020-04-10 08:49:08 UTC
FEDORA-2020-2d37e7879c fixes the issue.

Comment 13 Fedora Update System 2020-04-11 18:51:22 UTC
FEDORA-2020-2d37e7879c has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-2d37e7879c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-2d37e7879c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Fedora Update System 2020-04-13 21:28:54 UTC
FEDORA-2020-2d37e7879c has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.