The infamous --nogpgcheck

Rocky Linux General
1

So in step 3 of the “server with no gui install”, I have the following command:
3. Configuration:

sudo dnf install --nogpgcheck https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

sudo dnf install --nogpgcheck https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-9.noarch.rpm https://mirrors.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-9.noarch.rpm

sudo dnf config-manager --enable crb

What does “–nogpgcheck” actually do? Is there any reason for it?

All steps: The Ultimate Rocky Linux Install Guide with NVIDIA Drivers - Pastebin.com

2

Let’s take an example from the /etc/yum.repos.d/rocky.repo file:

[baseos]
name=Rocky Linux $releasever - BaseOS
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever$rltype
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=0
countme=1
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

as you can see here gpgcheck=1. You could edit the file and set it to gpgcheck=0, or you can use --nogpgcheck on the command line to override it.

Also, as per: man dnf

      --nogpgcheck
              Skip checking GPG signatures on packages (if RPM policy allows).

The GPG check is there for a reason though, to ensure the packages are downloaded correctly and from a trusted source.

3

Awesome! Perfect explanation. Thank you sir.

So while we do know https://dl.fedoraproject.org and https://mirrors.rpmfusion.org are trusted sources, allowing the gpgcheck to run would protect us in the rare case something was compromised on these web hosts, right?

4

BTW, @iwalker - your post explaining Powertools is known as crb in 9.x is how I know that. Super cool to be chatting with you and picking your brain.

1 Like
5

It helps check that all rpms downloaded are verified and trusted. A lot of repositories, not just Rocky’s, use gpgchecks and packages signed with gpg to ensure they are created by those people. It makes it more difficult for someone to compromise any rpms that way, if the gpg doesn’t match, then it’s best not to use that package. Some people may think, ah let’s override and just install it, but the risk is you never know then if that package actually is what it’s meant to be, and doesn’t also install a backdoor or whatever.

6

Makes sense. Thanks again!

7

Doesn’t Rocky have package epel-release in its own repos? I think it does. Hence:

sudo dnf install epel-release

(It is possible that dnf up does pull newer version from EPEL repo after that, but IMHO that is not so critical.)

EPEL does have package distribution-gpg-keys. It contains (presumably) keys of many distros. One could thus install that package and then import the relevant RPM Fusion keys – before install of those two rpmfusion*release* packages. That way you would have keys to check the packages with.

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.