dnf module: allow installing with `--no-gpgcheck`

[rambip]

Recently, I tried to install AppImageLauncher using bluebuild.
Since they provide a rpm build, I tried to install it directly using the dnf module.

Unfortunately, I got an error at build time:

 - package appimagelauncher-2.2.0-travis995~0f91801.x86_64 does not verify: no digest

And indeed, running rpm -qi appimagelauncher-2.2.0-travis995.0f91801.x86_64.rpm | head confirmed that the rpm file was not signed.

I could install it on a fedora machine with the --no-signature flag, or the more general --no-gpgcheck file (this also skips rpms that do not have metadata).

I think they are other rpm packages that do not have signature, so I think being able to specify this option for specific packages would be very useful.
For now, I installed it using the script module.

I consider contributing to the project if you think this is a useful feature.

[rambip]

Well, turns out my solution did not even work, I get an error with the post-script:

 [15:06:34 g.i/r/laptop:latest] => #50 0.860 Installing AppImageLauncher as interpreter for AppImages
[15:06:34 g.i/r/laptop:latest] => #50 0.863 modprobe: FATAL: Module binfmt_misc not found in directory /lib/modules/6.11.0-1018-azure
[15:06:34 g.i/r/laptop:latest] => #50 0.866 + systemctl restart systemd-binfmt
[15:06:34 g.i/r/laptop:latest] => #50 0.869 System has not been booted with systemd as init system (PID 1). Can't operate.
[15:06:34 g.i/r/laptop:latest] => #50 0.869 Failed to connect to system scope bus via local transport: Host is down
[15:06:34 g.i/r/laptop:latest] => #50 0.870 warning: %post(appimagelauncher-2.2.0-travis995~0f91801.x86_64) scriptlet failed, exit status 1
[15:06:35 g.i/r/laptop:latest] => #50 1.826 ============================ Failed 'script' Module ============================

[fiftydinar]

Well, turns out my solution did not even work, I get an error with the post-script:

 [15:06:34 g.i/r/laptop:latest] => #50 0.860 Installing AppImageLauncher as interpreter for AppImages
[15:06:34 g.i/r/laptop:latest] => #50 0.863 modprobe: FATAL: Module binfmt_misc not found in directory /lib/modules/6.11.0-1018-azure
[15:06:34 g.i/r/laptop:latest] => #50 0.866 + systemctl restart systemd-binfmt
[15:06:34 g.i/r/laptop:latest] => #50 0.869 System has not been booted with systemd as init system (PID 1). Can't operate.
[15:06:34 g.i/r/laptop:latest] => #50 0.869 Failed to connect to system scope bus via local transport: Host is down
[15:06:34 g.i/r/laptop:latest] => #50 0.870 warning: %post(appimagelauncher-2.2.0-travis995~0f91801.x86_64) scriptlet failed, exit status 1
[15:06:35 g.i/r/laptop:latest] => #50 1.826 ============================ Failed 'script' Module ============================

This looks like the not well written RPM spec to me.

It calls modprobe and systemctl command directly, which only works in runtime, but not in build-time. Systemd RPM macro exists for handling this, idk about modprobe.

Try to use the AppImage in releases instead.

[fiftydinar]

About --no-gpgcheck feature, yes, I think it's useful.

Now on whether that option would be specified per package or globally, I think it's better to have the option to specify it per package only, as running it globally is insecure.

[kinggrowler]

I have this same issue while trying to install a Brother printer driver. The dnf module worked prior to upgrading to Fedora 43. This proposed feature would be useful. Here is the error:

=> ============================== Start 'dnf' Module ==============================

<snipped>

=> Installing local packages:
=> - /tmp/files/dnf/hll2395dwpdrv-4.0.0-1.i386.rpm
=> Setting arg --skip-unavailable
=> Updating and loading repositories:
=> Repositories loaded.
=> Package                            Arch   Version             Repository        Size
=> Installing:
=>  hll2395dwpdrv                     i386   4.0.0-1             @commandline   3.1 MiB

<snipped>

=> Transaction failed: Rpm transaction failed.
=> Warning: skipped OpenPGP checks for 1 package from repository: @commandline
=>   - package hll2395dwpdrv-4.0.0-1.i386 does not verify: no digest
=> External command had a non-zero exit code
=> ============================= Failed 'dnf' Module =============================

Here is the stanza from the recipe file:

modules:
# install Brother printer driver
   - type: dnf
      install:
        install-weak-deps: true
        allow-erasing: true
        packages:
          - hll2395dwpdrv-4.0.0-1.i386.rpm # Brother Printer drivers

Here are the rpm and dnf versions:

]$ rpm --version ; dnf5 --version
RPM version 6.0.0
dnf5 version 5.2.17.0
dnf5 plugin API version 2.0
libdnf5 version 5.2.17.0
libdnf5 plugin API version 2.2

Loaded dnf5 plugins:
  name: builddep
  version: 1.0.0
  API version: 2.0

  name: changelog
  version: 1.0.0
  API version: 2.0

  name: config-manager
  version: 0.1.0
  API version: 2.0

  name: copr
  version: 0.1.0
  API version: 2.0

  name: needs_restarting
  version: 1.0.0
  API version: 2.0

  name: repoclosure
  version: 1.0.0
  API version: 2.0

  name: repomanage
  version: 1.0.0
  API version: 2.0

  name: reposync
  version: 1.0.0
  API version: 2.0

Loaded libdnf5 plugins:
  name: expired-pgp-keys
  version: 1.0.0
  API version: 2.1

$ cat /etc/fedora-release 
Fedora release 43 (Forty Three)

As a workaround, I'm installing this driver via rpm, like so:

 rpm -ivh --nodigest --nofiledigest --nodeps "https://someplace_online.com/<rpm>"

...but it feels a bit messy.

Also, in case it matters, the only way I am able to update my build from F42 to F43 is to do a dnf swap on "rpm-ostree" package from ublue-os staging repo, otherwise every build fails with innumerable errors similar to:

rpm-ostree override remove:29): libdnf-WARNING **: 04:29:40.746: failed to add subkeys for /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-17-secondary to rpmdb

This seems to be a well-known issue with upstream libdnf affecting many F43 builds. Swapping rpm-ostree to ublue-os staging fixed this issue. Here is the code if anyone is interested:

if [[ "$(rpm -E %fedora)" -gt 42 ]]; then
  dnf5 -y copr enable ublue-os/staging
  dnf5 -y swap --repo='copr:copr.fedorainfracloud.org:ublue-os:staging' \
    rpm-ostree rpm-ostree
  dnf5 versionlock add rpm-ostree
  dnf5 -y copr disable ublue-os/staging
fi

To be clear, swapping rpm-ostree was the ONLY way I was able to progress from F42 to F43 so I could get to the place where I saw this "dnf module" issue. There may be a better way around the "libdnf gpgkey" issues but I haven't found it.