Dnf localinstall does not perform GPG signature verification

carorodr · March 14, 2025, 3:29pm

When I install a package from a local directory dnf doesn’t perform GPG signature verification.

The example below I import the Almalinux GPG key and then install a package not signed by the same key.

[cisco@csl-almalinux9 temp]$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
[cisco@csl-almalinux9 temp]$ ls -la 
total 39608
drwxr-xr-x. 2 cisco cisco     4096 Mar 14 11:05 .
drwx------. 5 cisco cisco     4096 Mar 13 11:03 ..
-rw-r--r--. 1 cisco cisco    63973 Mar 14 11:05 bsdtar-3.5.3-4.el9.x86_64.rpm

[cisco@csl-almalinux9 temp]$ rpm --checksig -v bsdtar-3.5.3-4.el9.x86_64.rpm 
bsdtar-3.5.3-4.el9.x86_64.rpm:
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK

[cisco@csl-almalinux9 temp]$ sudo dnf localinstall bsdtar-3.5.3-4.el9.x86_64.rpm 
Last metadata expiration check: 3:16:51 ago on Fri 14 Mar 2025 08:10:52 AM EDT.
Dependencies resolved.
========================================================================================================================================================
 Package                          Architecture                     Version                                 Repository                              Size
========================================================================================================================================================
Installing:
 bsdtar                           x86_64                           3.5.3-4.el9                             @commandline                            62 k

Transaction Summary
========================================================================================================================================================
Install  1 Package

Total size: 62 k
Installed size: 132 k
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                1/1 
  Installing       : bsdtar-3.5.3-4.el9.x86_64                                                                                                      1/1 
  Running scriptlet: bsdtar-3.5.3-4.el9.x86_64                                                                                                      1/1 
  Verifying        : bsdtar-3.5.3-4.el9.x86_64                                                                                                      1/1 

Installed:
  bsdtar-3.5.3-4.el9.x86_64                                                                                                                             

Complete!

pastalian · March 15, 2025, 6:03pm

You can enable the check for local packages by adding localpkg_gpgcheck=1 to the /etc/dnf/dnf.conf.
https://dnf.readthedocs.io/en/latest/conf_ref.html#localpkg-gpgcheck-label

jlehtone · March 16, 2025, 8:57am

Note: the localinstall is a deprecated alias of install. (See man dnf)

The localpkg_gpgcheck is described in man dnf.conf too.