GPG keys when running DNF

I wanted to install codec for video.

So I installed rpmfusion.

sudo dnf install \

https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm

and I typed this

sudo dnf groupupdate multimedia

then computer asked.

arning: /var/cache/dnf/updates-d6521d96a82a4d6a/packages/glibc-devel-2.29-22.fc30.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID cfc659b9: NOKEY
Fedora 30 - x86_64 - Updates 1.6 MB/s | 1.6 kB 00:00
Importing GPG key 0xCFC659B9:
Userid : “Fedora (30) fedora-30-primary@fedoraproject.org”
Fingerprint: F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-30-x86_64
Is this ok [y/N]:

I don’t know this is ok. Is this safe?

1 Like

It matches the official Fedora 30 key fingerprint, no need to worry.

3 Likes

Most repositories, including RPMFusion, use cryptography to sign their packages which helps the package manger determine if the packages are unmodified (to make sure they have not been tampered with). Since you just installed RPMFusion, it is asking you to download the GPG key that will be used to check the signatures on the packages you install from that repository.

I just wanted to expand on your question a bit, for more information about how Fedora GPG keys and signatures work check out the link @vgaetera posted…

2 Likes

It is Fedora release key, not RPM Fusion, and this happens in every new installation.
Although I heard that it is supposed to be fixed in Fedora 2x release, the issue seems still relevant.

1 Like

I’m relieved. Thank you.

1 Like

Off-topic to your actual question, but just FYI: As @vgaetera said, that’s the Fedora 30 signing key, and it would have come up even if you hadn’t added RPM Fusion. It was shown because you asked dnf to update the multimedia group, which is also a Fedora package group, and this was the first time you’ve used dnf to install Fedora packages on that system.

If you’d typed sudo dnf group update multimedia without installing RPM Fusion’s repos, you would’ve gotten exactly the same thing when dnf updated some or all of these packages:

$ sudo dnf --disablerepo=rpmfusion\* group info multimedia

Group: Multimedia
 Description: Audio/video framework common to desktops
 Mandatory Packages:
   PackageKit-gstreamer-plugin
   alsa-plugins-pulseaudio
   alsa-ucm
   alsa-utils
   gstreamer1-plugins-bad-free
   gstreamer1-plugins-good
   pulseaudio
   pulseaudio-module-x11
   pulseaudio-utils
 Conditional Packages:
   gstreamer-plugins-bad-free
   gstreamer-plugins-espeak
   gstreamer-plugins-good

With RPM Fusion, a few more are added:

$ sudo dnf --disablerepo=fedora --disablerepo=updates group info multimedia

Group: Multimedia
 Description: Audio/video framework common to desktops
 Mandatory Packages:
   gstreamer1-libav
   gstreamer1-plugins-bad-freeworld
   gstreamer1-plugins-ugly
 Conditional Packages:
   chromium-libs-media-freeworld
   ffmpeg-libs
   gstreamer-ffmpeg
   gstreamer-plugins-ugly
   qt5-qtwebengine-freeworld

(And if you install any of those, you should expect to get another key import prompt much like the previous one, but this time for the RPM Fusion Free package signing key.)

4 Likes