Skipped PGP checks - but not sure which package or repo

[praiskup]

$ sudo dnf5 update --refresh
..
Total size of inbound packages is 408 MiB. Need to download 408 MiB.
After this operation 2 MiB will be used (install 963 MiB, remove 961 MiB).
Is this ok [y/N]: y
...
Warning: skipped PGP checks for 1 package(s).

It would be nice if DNF5 admitted what packages are guilty.

[ppisar]

I believe that it simply pertains repositories which have signature verification disabled. (Either specifically in the repository configuration, or globally for all of them.) Otherwise, RPM would reject installing that package.

If somebody will ever implement listing the packages, bear in mind the list can amount hundreds of packages, typically when installing packages directly from Koji repositories. In that case the output would be pretty annoying. Especially when the user consented to no verification before invoking DNF.

If the current message indeed corresponds to repository configuration, it would be better to list the affected repositories, preferably before the user confirms the transaction, instead of listing packaged after the sin^Wtransaction was committed.

[j-mracek]

What about to only extend message and include IDs of repositories, because as it was mentioned skipping is not per package property, but per repository including commandline repository.

What about something like Warning: skipped PGP checks for 1 package(s) from 'fedora' repository.

[praiskup]

I believe that it simply pertains repositories which have signature verification disabled. (Either specifically in the repository configuration, or globally for all of them.) Otherwise, RPM would reject installing that package.

Don't we want to drop the warning, then? I mean, if I (intentionally) use gpgcheck=0, the warning seems to raise eyebrows unnecessarily.