Bug ID | 1055533 |
---|---|
Summary | [regression] installation of locally built packages requires disabling verification |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | openSUSE Factory |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | libzypp |
Assignee | zypp-maintainers@forge.provo.novell.com |
Reporter | thardeck@suse.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
To run integration tests we build an rpm package locally with osc and install this by calling `zypper --non-interactive in <local_package_path>`. This process does not work anymore in the latest Tumbleweed snapshots because zypper requires an existing signature unless the parameter `--no-gpg-checks` is provided. But using `--no-gpg-checks` would be a security risk because all the dependencies are then also not verified and often downloaded via http. Before the change they were verified so tampering was not possible. To prevent those security risks it would be great if locally available packages can still be installed non-interactively without disabling the gpg checks.