"Warning: skipped OpenPGP checks" during system-upgrade from F41 to F42

[fuzzy9000]

I just updated a Fedora 41 VM to Fedora 42 using these commands:

dnf system-upgrade download --refresh --releasever=42
dnf5 offline reboot

This is my first time upgrading using DNF5; I had previously used DNF4's system-upgrade.

The upgrade completed successfully. After it rebooted, I checked the system log (journalctl) to make sure everything went OK, and came across this really disturbing message:

dnf5[970]: Warning: skipped OpenPGP checks for 700 packages from repository: @stored_transaction
dnf5[970]: Transaction complete! Cleaning up and rebooting...

700 is the exact number of packages that dnf system-upgrade downloaded. After the downloads finished, I was asked to import the new Fedora 42 OpenPGP key and answered y.

According to #1985, DNF5 doesn't check PGP signatures when downloading, but is supposed to check PGP signatures when installing.

So: Based on the message that was logged, should I assume that the new packages were installed without any PGP signature checks at all, either when downloading or when installing?

If so, why did DNF5 decide to "skip" OpenPGP checks? That seems like a significant security problem. I definitely never asked it to do that. My /etc/dnf/dnf.conf file has not been customized (it just contains the [main] line).

The version of the dnf5 package at the time of the upgrade was 5.2.10.0-2.fc41. (I forgot to do a dnf upgrade before the system-upgrade, so that version may be a bit out of date.)

[ppisar]

Could you tell us what dnf5 version you used for the system upgrade? Recently there were few changes in the the offline update and this warning could be caused by them.

[fuzzy9000]

As mentioned, it was 5.2.10.0-2.fc41.

I have now repeated the exact same commands on another Fedora 41 VM, but this time with the latest 5.2.12.0-2.fc41 package. (I did a complete dnf upgrade first and rebooted.)

After the system upgrade finished and rebooted, the warning message is present in the log, but the wording is slightly different (@stored_transaction changed to fedora, updates):

dnf5[967]: Warning: skipped OpenPGP checks for 717 packages from repositories: fedora, updates
dnf5[967]: Transaction complete! Cleaning up and rebooting...

[kontura]

The system-upgrade and offline/stored transactions do a transaction test after the download (unlike the download command and --downloadonly option) and signatures are verified during this step.

Though it is true the verification is skipped during the actual run of the transaction.

[kontura]

I don't think this was affected by the recent changes apart from the change of repo names (as visible in the logs you provided).
Before for running the transaction we used only the custom @stored_transaction repo and now we create custom repos with stored names but none of them have pkg_gpgcheck config option set.

[ppisar]

Though it is true the verification is skipped during the actual run of the transaction.

Is it a feature (do you remember system-upgrade rejecting keys because of no real-time clock on Raspberry machines?), or a bug?

[kparal]

I just encountered the same warning during a standard offline upgrade on F42:

sudo dnf distro-sync --offline
sudo dnf offline reboot
...
dnf5[1467]: Warning: skipped OpenPGP checks for 75 packages from repositories: updates, updates-testing
dnf5[1467]: Transaction complete! Cleaning up and rebooting...

Full system journal here: upgrade-journal.txt

This seems concerning for the end user. If this is intentional and safe, maybe the warning message could be adjusted?

(I found this bug, so I'm commenting here, but I can file a separate one if needed).