DNS key verification: Fix caching negative responses

If a user had installed multiple keys for the same e-mail address in an RPM database, and no records for the address existed in DNS, DNF validated the first key correctly, but reported that the other key is revoked: # rpm -q gpg-pubkey --qf '%{packager} %{nevra}\n' |grep nokey nokey1 <[email protected]> gpg-pubkey-7460757e-6553a6ab nokey2 <[email protected]> gpg-pubkey-c8d04ba8-6553a6b1 # dnf-3 upgrade DNSSEC extension: Testing already imported keys for their validity. DNSSEC extension: GPG Key [email protected] has been revoked and should be removed immediately The cause was a wrong test for a cached negative reponse. This patch fixes it. https://bugzilla.redhat.com/show_bug.cgi?id=2249380
rpm-software-management · Nov 15, 2023 · 5d95553 · 5d95553
1 parent 53a5a93
commit 5d95553
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/dnf/dnssec.py b/dnf/dnssec.py
@@ -150,7 +150,7 @@ def _cache_hit(key_union, input_key_string):
         if key_union == input_key_string:
             logger.debug("Cache hit, valid key")
             return Validity.VALID
-        elif key_union is NoKey:
+        elif isinstance(key_union, NoKey):
             logger.debug("Cache hit, proven non-existence")
             return Validity.PROVEN_NONEXISTENCE
         else: