I’m little confused about GPG verification of RPMs.
dnf downloads RPM file from URL that is defined in the .repo file. dnf use rpm for install downloaded RPM file and if in the repo file is definied gpgcheck=1 it uses -V flag with rpm. rpm install RPM and check gpg signature if -V flag. rpm try find the public key for the RPM from something local path.
If rpm can’t find correct public key it fails. dnf get know about this and download public key from the URL in gpgkey=https://example.com/key.asc of the repo file. dnf try again with rpm
So, questions is: dnf doesn’t check GPG signatures?
Always rpm try find GPG public keys from local? So dnf connect to https://example.com/key.asconly if rpm can’t find it the key local?
If GPG key isn’t in local, what is the idea that it download the key from the URL? I mean, if you can’t trust to your internet connection, the downloaded key doesn’t proof anything?
Why I need run rpm --import https://example.com/key.asc when I add a new repo? I mean, doesn’t dnf anyway download the signature immediately when I run sudo dnf upgrade?
What is the difference between rpm --import and rpmkeys --import?
Why rpm -qa list keys? The aren’t packages, right?
Where rpm stores local keys? Path /etc/pki/rpm-gpg/ contain hundreds keys but rpm -qa gpg-* just two? And I can’t find one of two key that rpm -qa gpg-* lists from /etc/pki/rpm-gpg/.
Normally, it does when installing a package from a repo.
In general case, this depends on the global DNF settings and custom repo settings.
It does not when the argument is an RPM file, locally downloaded or specified by a URL.
HTTPS and DoT should provide enough security, even if you don’t trust own ISP.
It helps to automate the key import.
Yes, you can also import the key manually.
There should be no difference, at least for now.
In the RPM database along with the metadata for installed packages.
The devs probably decided against using a separate key storage.
Most of those files are just symlinks unrelated to the current version of the system, and the necessary ones should be already imported in the RPM database.
Does dnf binary do this? Or it call rpm binary like I wrote in my example?*1
*1 “dnf downloads RPM file from URL that is defined in the .repo file. dnf use rpm for install downloaded RPM file and if in the repo file is definied gpgcheck=1 it uses -V flag with rpm.”
Why then we need signed packages? If you can trust to the key, that you downloaded in untrusted network, why you can’t trust to the packages, that you downloaded in the same network, without signing? By DoT you mean TLS over DNS?
Automate? IMO that is manually work.
rpmkeys is not symlink to rpm, it’s own binary, so?
It is more than that. The GPG verification is to ensure that the package you download was built and signed by Fedora, and if you can trust Fedora you can trust the downloaded package. HTTPS doesn’t say anything about where the data ultimately came from, and as you can download from a lot of different mirror sites, the certificate of the download morror site only tells you that you downloaded from the site you think you were downloading from.