Introduce gpgcheck_policy to control gpgcheck defaults and add support for pkg_gpgcheck

[Conan-Kudo]

Description of request

Currently, DNF supports two flags: gpgcheck and repo_gpgcheck. However, it is not clear what gpgcheck actually covers. In DNF, gpgcheck only covers package signature checking, but in Zypper, it covers both package and repository metadata signature checking.

Zypper has three options:

1. gpgcheck, covering repo and packages
2. pkg_gpgcheck, covering packages only (equivalent to current gpgcheck in Yum/DNF)
3. repo_gpgcheck, covering repo only (DNF supports this the same way Zypper does)

Each of these can be set globally or per-repository. By default, Zypper does both repository and package checks, and the other two options can be used to override bits of that behavior in Zypper.

To control the behavior of gpgcheck, we should have a global config option called gpgcheck_policy, with the following options: "legacy", "full", and "all".

• gpgcheck_policy=legacy makes "gpgcheck=1" equivalent to setting pkg_gpgcheck=1, repo_gpgcheck=0, and localpkg_gpgcheck=0.

• gpgcheck_policy=full makes gpgcheck=1 equivalent to setting pkg_gpgcheck=1, repo_gpgcheck=1, and localpkg_gpgcheck=0.

• gpgcheck_policy=all makes gpgcheck=1 equivalent to setting pkg_gpgcheck=1, repo_gpgcheck=1, and localpkg_gpgcheck=1.

Regardless of modes, each configuration section ([main] or repo sections in dnf.conf or in repo files) can override the policy behavior by setting pkg_gpgcheck and repo_gpgcheck accordingly. Obviously localpkg_gpgcheck has no bearing in repo sections, but could be switched on separately in the main section in dnf.conf.

The upstream default in the code (that is, when the gpgcheck_policy option is unset) would be the equivalent of setting gpgcheck_policy=full. However, for the dnf.conf that will ship in Fedora and RHEL, it would be set to gpgcheck_policy=legacy to conform with the existing behavior and not break anything.

This aligns our options and behaviors with other RPM package managers using rpm-md and makes the GPG checking policy coherent.

Benefit to distributions

Different distributions have different expectations of what gpgcheck should cover. For example, the SUSE distribution family expects gpgcheck to operate with gpgcheck_policy=full, whereas RHEL/Fedora expects gpgcheck_policy=legacy. CentOS can optionally operate with gpgcheck_policy=full, which is useful for users that have requirements for it.

I also hope having this would encourage distributions to introduce repository GPG checking as a new norm over time, as well.

[Conan-Kudo]

At least initially, it would be great to have pkg_gpgcheck supported so that repo files from Zypper can work 1:1 on DNF v5.

[ppisar]

Wow, a configuration option for a configuration option. That's makes understanding DNF5 even more challenging.

In short: the new "gpgcheck_policy" will modify what "gpgcheck" means. To allow each distribution to use its preferred meaning.

I understand what it does and it's technically feasible. Kudos to Conan-Kudo. But I'm not sure our users will understand it and whether they will be happy when moving from one distribution to another.

[Conan-Kudo]

The only reason it needs to exist is because Red Hat/Fedora doesn't sign repository metadata as standard practice. Otherwise I'd just change gpgcheck to mean pkg_gpgcheck+repo_gpgcheck.