[REGRESSION] dnf5 does not pull signing keys

[madonuko]

dnf5 5.2.11.0 has a regression where it refuses to pull missing signing keys from repos during syncing. This worked fine on 5.2.10.0.

To Reproduce

1. podman pull ghcr.io/terrapkg/builder:frawhide, this pulls the latest podman image from our builders
   As of today, the sha is a5f3fd92ce13
2. podman run -it ghcr.io/terrapkg/builder:frawhide
3. In the shell, run dnf in -y 'pkgconfig(astal-io-0.1)'

Updating and loading repositories:
 Fedora - Rawhide - Developmental packa 100% |  24.9 KiB/s |  10.0 KiB |  00m00s
 packages for the GitHub CLI            100% | 115.4 KiB/s |   3.0 KiB |  00m00s
 Fedora - Rawhide - Developmental packa 100% |   1.7 MiB/s |   4.0 MiB |  00m02s
 Terra rawhide (Extras)                 100% |   3.8 KiB/s |   6.6 KiB |  00m02s
>>> Librepo error: repomd.xml GPG signature verification error: Signing key not 
 Terra rawhide                          100% |   4.6 KiB/s |   7.8 KiB |  00m02s
>>> Librepo error: repomd.xml GPG signature verification error: Signing key not 
Repositories loaded.
Failed to resolve the transaction:
No match for argument: pkgconfig(astal-io-0.1)
You can try to add to command line:
  --skip-unavailable to skip unavailable packages

Old Behaviour

This is generated using podman run -it 8b8895c43b10 (an older builder image with dnf5 5.2.10.0)

Updating and loading repositories:
 packages for the GitHub CLI                                               100% |  14.6 KiB/s |   3.0 KiB |  00m00s
 Fedora rawhide openh264 (From Cisco) - x86_64                             100% |   3.2 KiB/s | 986.0   B |  00m00s
 Terra rawhide (Extras)                                                    100% |   4.3 KiB/s |   6.6 KiB |  00m02s
>>> Librepo error: repomd.xml GPG signature verification error: Signing key not found                              
 Fedora rawhide openh264 (From Cisco) - x86_64                             100% |   4.2 KiB/s |   5.8 KiB |  00m01s
 Terra rawhide                                                             100% |   5.0 KiB/s |   7.8 KiB |  00m02s
>>> Librepo error: repomd.xml GPG signature verification error: Signing key not found                              
 https://repos.fyralabs.com/terrarawhide-extras/key.asc                    100% |   1.0 KiB/s | 726.0   B |  00m01s
 https://repos.fyralabs.com/terrarawhide/key.asc                           100% |   1.0 KiB/s | 717.0   B |  00m01s
Importing OpenPGP key 0x3CD99338:
 UserID     : "Terra Rawhide Extras Distribution <[email protected]>"
 Fingerprint: C05A925CFCF7C583482FF8CC022D9E9B3CD99338
 From       : https://repos.fyralabs.com/terrarawhide-extras/key.asc
The key was successfully imported.
Importing OpenPGP key 0x68F437CA:
 UserID     : "Terra Rawhide Distribution <[email protected]>"
 Fingerprint: 6AB2516D559868D141F8E0600E2C394268F437CA
 From       : https://repos.fyralabs.com/terrarawhide/key.asc
The key was successfully imported.
 Terra rawhide (Extras)                                                    100% | 262.1 KiB/s | 269.7 KiB |  00m01s
 Terra rawhide                                                             100% | 158.6 KiB/s | 348.3 KiB |  00m02s
Repositories loaded.
…

If you would like to reproduce, try downloading 5.2.11.0 from koji manually.

[madonuko]

git bisect shows:

0f1242b0ae21c371507f5bbc3507a99e3abd13cf is the first bad commit
commit 0f1242b0ae21c371507f5bbc3507a99e3abd13cf
Author: Evan Goode <[email protected]>
Date:   Thu Feb 27 00:08:46 2025 +0000

    repo: ignore key download errors if skip_if_unavailable
    
    In repo::RepoSack::update_and_load_repos, log and ignore errors related
    to reading or downloading GPG keys if we are using
    skip_if_unavailable=false
    
    Resolves https://github.com/rpm-software-management/dnf5/issues/2065

 libdnf5/repo/repo_sack.cpp | 57 ++++++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 42 insertions(+), 15 deletions(-)

Commit in question: 0f1242b
Related issue: #2065

This fix is invalid since this does not match the behaviour of dnf4.

[m-blaha]

Thanks for reporting! This looks quite serious.
The regresson was caused by commit 0f1242b . The build with this commit reverted works as expected.

I noticed interesting warning in dnf5.log during terra repository metadata downloading:

2025-03-14T09:59:52+0000 [27] WARNING Error loading repo "terra-extras" (skipping due to "skip_if_unavailable=true"):
2025-03-14T09:59:52+0000 [27] WARNING  std::exception

which seems wrong since the repo doesn't have skip_if_unavaileble set (thus should default to false).