AWS Security ChangesHomeSearch

AWS linux documentation change

Service: linux · 2026-06-16 · Documentation low

File: linux/al2023/ug/repo-metadata-signing.md

Summary

Updated documentation on repository metadata signing behavior: clarified DNF's key import prompt behavior, changed repo_gpgcheck default to disabled, added warnings for unattended runs.

Security assessment

The changes clarify security feature behavior (GPG signature verification) but don't address a specific vulnerability. Added documentation about key import prompts and unattended run risks improves security awareness but isn't tied to a specific security incident.

Diff

diff --git a/linux/al2023/ug/repo-metadata-signing.md b/linux/al2023/ug/repo-metadata-signing.md
index 317fb2289..d53bef868 100644
--- a//linux/al2023/ug/repo-metadata-signing.md
+++ b//linux/al2023/ug/repo-metadata-signing.md
@@ -19 +19,3 @@ When AL2023 repositories are published, the repository metadata (`repomd.xml`) i
-When you enable `repo_gpgcheck` in your repository configuration, DNF automatically downloads and verifies the `repomd.xml.asc` signature against the GPG public key before using the repository metadata. If the signature verification fails, DNF rejects the repository metadata and does not proceed with package operations from that repository. For more information about `repo_gpgcheck`, see the [DNF Configuration Reference](https://dnf.readthedocs.io/en/latest/conf_ref.html).
+When you enable `repo_gpgcheck` in your repository configuration, DNF verifies the `repomd.xml.asc` signature against the GPG public key before it uses the repository metadata. If verification fails, DNF rejects the metadata and does not run package operations from that repository.
+
+The first time DNF verifies a repository's metadata, it prompts you to import that repository's signing key into a per-repository keyring. This prompt defaults to `No`. If you decline it, or if no one can answer it (for example, an unattended run without the `-y` option), DNF skips the repository. For more information about `repo_gpgcheck`, see the [DNF Configuration Reference](https://dnf.readthedocs.io/en/latest/conf_ref.html).
@@ -39 +41 @@ Setting | What it verifies | Default in AL2023
-`repo_gpgcheck=1` | Verifies the GPG signature of the repository metadata (`repomd.xml`) before using the repository. | Disabled (enabled by default starting with the `2023.12` quarterly release)  
+`repo_gpgcheck=1` | Verifies the GPG signature of the repository metadata (`repomd.xml`) before using the repository. | Disabled by default  
@@ -41 +43 @@ Setting | What it verifies | Default in AL2023
-We strongly recommend that you enable both `gpgcheck` and `repo_gpgcheck`. This ensures that both the repository metadata and the individual packages are verified before use.
+We recommend that you enable both `gpgcheck` and `repo_gpgcheck`. This ensures that both the repository metadata and the individual packages are verified before use.
@@ -49 +51 @@ You can enable repository metadata verification for individual repositories by u
-Starting with the `2023.12` quarterly release, `repo_gpgcheck=1` will be enabled by default in the AL2023 repository configuration files.
+Repository metadata signature verification is not enabled by default.
@@ -71 +73 @@ After enabling `repo_gpgcheck=1`, you can verify that metadata verification is w
-If the metadata verification succeeds, DNF imports the GPG key (if not already imported) and creates the metadata cache without errors. You will see output similar to the following:
+The first time DNF verifies the metadata for a repository, it prompts you to import that repository's signing key. Enter `y` to confirm. After the key is imported, DNF creates the metadata cache without errors. You will see output similar to the following:
@@ -78,0 +81 @@ If the metadata verification succeeds, DNF imports the GPG key (if not already i
+    Is this ok [y/N]: y
@@ -81,0 +85,6 @@ If the metadata verification succeeds, DNF imports the GPG key (if not already i
+The import prompt defaults to `No`. If you decline it, DNF skips the repository and reports `Ignoring repositories` in the output.
+
+###### Important
+
+The signing key is imported into a per-repository keyring that is keyed to the resolved repository URL. The import prompt appears again whenever that URL changes, such as after a version or Region change. For unattended runs such as cron jobs, container builds, and automation, pass the `-y` option to every DNF command that refreshes metadata, so the key is imported without a prompt. Without `-y`, the prompt defaults to `No`, DNF skips the repository, and the command can still exit with status `0`.
+