Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (). If you're a Red Hat customer, please continue to file support cases via the . If you're not, please head to the "" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult . That failing, please send an e-mail to the RH Jira admins at to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1793298

Summary: dnf-automatic upgrade packages that does not have the signing key accepted
Product: Red Hat Enterprise Linux 8 Reporter: GV <rhel>
Component: dnfAssignee: Marek Blaha <mblaha>
Status: CLOSED ERRATA QA Contact: Luca Berton <lberton>
Severity: high Docs Contact: Mariya Pershina <mpershin>
Priority: high
Version: 8.1CC: james.antill, lberton, mblaha, mpershin, nsella, pkratoch
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified
OS: Linux
Whiteboard:
dnf-4.2.23-1.el8 Bug Fix
.`dnf-automatic` now updates only packages with correct GPG signatures Previously, the `dnf-automatic` configuration file did not check GPG signatures of downloaded packages before performing an update. As a consequence, unsigned updates or updates signed by key which was not imported could be installed by `dnf-automatic` even though repository configuration requires GPG signature check (`gpgcheck=1`). With this update, the problem has been fixed, and `dnf-automatic` checks GPG signatures of downloaded packages before performing the update. As a result, only updates with correct GPG signatures are installed from repositories that require GPG signature check.
 ---
2020-11-04 01:52:25 UTC Bug
--- ---
---
---
--- RHEL 7.3 requirements from Atomic Host:
---
Attachments:
Description Flags
dnf-automatic configuration file none

Description GV 2020-01-21 06:10:41 UTC 
Created attachment 1654123 [details]
dnf-automatic configuration file

$ rpm -q -p dummy-1.0.0-1.c8.x86_64.rpm 
warning: dummy-1.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
dummy-1.0.0-1.c8.x86_64

$ rpm -q dummy-2.0.0-1.c8.x86_64.rpm 
warning: dummy-2.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
dummy-2.0.0-1.c8.x86_64

# rpm -ivh dummy-1.0.0-1.c8.x86_64.rpm 
warning: dummy-1.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
 1:dummy-1.0.0-1.c8 ################################# [100%]

# yum update
...
Dependencies resolved.
================================================================================
 Package Architecture Version Repository Size
================================================================================
Upgrading:
 dummy x86_64 2.0.0-1.c8 local 9.9 k

Transaction Summary
================================================================================
Upgrade 1 Package

Total size: 9.9 k
Is this ok [y/N]: y
Downloading Packages:
warning: /home/dummy/work/rpm/RPMS/x86_64/dummy-2.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
Public key for dummy-2.0.0-1.c8.x86_64.rpm is not installed
Error: GPG check FAILED

# systemctl status dnf-automatic
● dnf-automatic.service - dnf automatic
 Loaded: loaded (/usr/lib/systemd/system/dnf-automatic.service; static; vendor preset: disabled)
 Active: inactive (dead)

# systemctl start dnf-automatic
Job for dnf-automatic.service failed because the control process exited with error code.
See "systemctl status dnf-automatic.service" and "journalctl -xe" for details.

Relevant /var/log/message entries:

Jan 21 08:04:01 c8 systemd[1]: Starting dnf automatic...
Jan 21 08:04:01 c8 dnf-automatic[987]: Running transaction check
Jan 21 08:04:02 c8 dnf-automatic[987]: Transaction check succeeded.
Jan 21 08:04:02 c8 dnf-automatic[987]: Running transaction test
Jan 21 08:04:02 c8 dnf-automatic[987]: Transaction test succeeded.
Jan 21 08:04:02 c8 dnf-automatic[987]: Running transaction
Jan 21 08:04:06 c8 dnf-automatic[987]: Traceback (most recent call last):
Jan 21 08:04:06 c8 dnf-automatic[987]: File "/usr/bin/dnf-automatic", line 32, in <module>
Jan 21 08:04:06 c8 dnf-automatic[987]: sys.exit(dnf.automatic.main.main(sys.argv[1:]))
Jan 21 08:04:06 c8 dnf-automatic[987]: File "/usr/lib/python3.6/site-packages/dnf/automatic/main.py", line 264, in main
Jan 21 08:04:06 c8 dnf-automatic[987]: emitters.commit()
Jan 21 08:04:06 c8 dnf-automatic[987]: File "/usr/lib/python3.6/site-packages/dnf/util.py", line 493, in fn
Jan 21 08:04:06 c8 dnf-automatic[987]: return list(map(call_what, self))
Jan 21 08:04:06 c8 dnf-automatic[987]: File "/usr/lib/python3.6/site-packages/dnf/util.py", line 492, in call_what
Jan 21 08:04:06 c8 dnf-automatic[987]: return method(*args, **kwargs)
Jan 21 08:04:06 c8 dnf-automatic[987]: File "/usr/lib/python3.6/site-packages/dnf/automatic/emitter.py", line 103, in commit
Jan 21 08:04:06 c8 dnf-automatic[987]: smtp = smtplib.SMTP(self._conf.email_host, timeout=300)
Jan 21 08:04:06 c8 dnf-automatic[987]: File "/usr/lib64/python3.6/smtplib.py", line 251, in __init__
Jan 21 08:04:06 c8 dnf-automatic[987]: (code, msg) = self.connect(host, port)
Jan 21 08:04:06 c8 dnf-automatic[987]: File "/usr/lib64/python3.6/smtplib.py", line 336, in connect
Jan 21 08:04:06 c8 dnf-automatic[987]: self.sock = self._get_socket(host, port, self.timeout)
Jan 21 08:04:06 c8 dnf-automatic[987]: File "/usr/lib64/python3.6/smtplib.py", line 307, in _get_socket
Jan 21 08:04:06 c8 dnf-automatic[987]: self.source_address)
Jan 21 08:04:06 c8 dnf-automatic[987]: File "/usr/lib64/python3.6/socket.py", line 724, in create_connection
Jan 21 08:04:06 c8 dnf-automatic[987]: raise err
Jan 21 08:04:06 c8 dnf-automatic[987]: File "/usr/lib64/python3.6/socket.py", line 713, in create_connection
Jan 21 08:04:06 c8 dnf-automatic[987]: sock.connect(sa)
Jan 21 08:04:06 c8 dnf-automatic[987]: OSError: [Errno 113] No route to host
Jan 21 08:04:06 c8 systemd[1]: dnf-automatic.service: Main process exited, code=exited, status=1/FAILURE
Jan 21 08:04:06 c8 systemd[1]: dnf-automatic.service: Failed with result 'exit-code'.
Jan 21 08:04:06 c8 systemd[1]: Failed to start dnf automatic.

# systemctl start dnf-automatic

Relevant /var/log/message entries:

Jan 21 08:04:09 c8 systemd[1]: Starting dnf automatic...
Jan 21 08:04:09 c8 systemd[1]: Started dnf automatic.

# rpm -q dummy
dummy-2.0.0-1.c8.x86_64

# yum history undo last
Undoing transaction 65, from Tue 21 Jan 2020 08:04:02 AM EET
 Upgrade dummy-2.0.0-1.c8.x86_64 @local
 Upgraded dummy-1.0.0-1.c8.x86_64 @@System
Dependencies resolved.
================================================================================
 Package Architecture Version Repository Size
================================================================================
Downgrading:
 dummy x86_64 1.0.0-1.c8 local 9.9 k

Transaction Summary
================================================================================
Downgrade 1 Package

Total size: 9.9 k
Is this ok [y/N]: y
Downloading Packages:
warning: /home/dummy/work/rpm/RPMS/x86_64/dummy-1.0.0-1.c8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 8725a212: NOKEY
Public key for dummy-1.0.0-1.c8.x86_64.rpm is not installed
Error: GPG check FAILED
Comment 1 Marek Blaha 2020-01-28 08:51:42 UTC 
dnf-automatic is not checking GPG keys of the packages before performing installation. PR https://github.com/rpm-software-management/dnf/pull/1580 addresses it.
Comment 16 errata-xmlrpc 2020-11-04 01:52:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (yum bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4510