So in step 3 of the “server with no gui install”, I have the following command:
sudo dnf install --nogpgcheck https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
sudo dnf install --nogpgcheck https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-9.noarch.rpm https://mirrors.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-9.noarch.rpm
sudo dnf config-manager --enable crb
What does “–nogpgcheck” actually do? Is there any reason for it?
All steps: The Ultimate Rocky Linux Install Guide with NVIDIA Drivers - Pastebin.com
Let’s take an example from the
name=Rocky Linux $releasever - BaseOS
as you can see here
gpgcheck=1. You could edit the file and set it to
gpgcheck=0, or you can use
--nogpgcheck on the command line to override it.
Also, as per:
Skip checking GPG signatures on packages (if RPM policy allows).
The GPG check is there for a reason though, to ensure the packages are downloaded correctly and from a trusted source.
Awesome! Perfect explanation. Thank you sir.
So while we do know https://dl.fedoraproject.org and https://mirrors.rpmfusion.org are trusted sources, allowing the gpgcheck to run would protect us in the rare case something was compromised on these web hosts, right?
BTW, @iwalker - your post explaining Powertools is known as crb in 9.x is how I know that. Super cool to be chatting with you and picking your brain.
It helps check that all rpms downloaded are verified and trusted. A lot of repositories, not just Rocky’s, use gpgchecks and packages signed with gpg to ensure they are created by those people. It makes it more difficult for someone to compromise any rpms that way, if the gpg doesn’t match, then it’s best not to use that package. Some people may think, ah let’s override and just install it, but the risk is you never know then if that package actually is what it’s meant to be, and doesn’t also install a backdoor or whatever.
Makes sense. Thanks again!
Doesn’t Rocky have package
epel-release in its own repos? I think it does. Hence:
sudo dnf install epel-release
(It is possible that
dnf up does pull newer version from EPEL repo after that, but IMHO that is not so critical.)
EPEL does have package
distribution-gpg-keys. It contains (presumably) keys of many distros. One could thus install that package and then import the relevant RPM Fusion keys – before install of those two
rpmfusion*release* packages. That way you would have keys to check the packages with.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.