Fedora template upgrade docs should give advice about importing signing keys

[andrewclausen]

Qubes OS version:

R3.2

Affected TemplateVMs:

fedora-23

Summary:

When upgrading the Fedora template from 23 to 24, dnf requires the user to approve importing a new key. This key was already checked when it was installed. The documentation ought to say that it is safe to import the key.

Details:

When following the Fedora 23 template upgrade instructions, the user gets asked to approve importing a key:

warning: /var/cache/dnf/fedora-d02ca361e1b58501/packages/python2-babel-2.3.4-1.fc24.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 81b46521: NOKEY
Importing GPG key 0x81B46521:
 Userid     : "Fedora (24) <fedora-24-primary@fedoraproject.org>"
 Fingerprint: 5048 BDBB A5E7 76E5 47B0 9CCC 73BD E983 81B4 6521
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-24-x86_64
Is this ok [y/N]:

This leaves the user in a difficult position: should the user accept the key? Should the user verify it? It turns out that the key was installed by a package,

$ rpm -qf /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-24-x86_64
fedora-repos-23-2.noarch

so a signature for the key was already checked. Therefore, it is safe to say "yes" without doing any more checks.

Proposed Solution:

I think the documentation (linked above) should add a step (after step 5) saying: "dnf might ask you to approve importing a new package signing key. This key was already checked when it was installed, so you can safely say yes."