If a GPG key is invalid—meaning it is expired, corrupted, or simply doesn't match the digital signature of the package—DNF will strictly block the installation to protect your system.
Here is exactly what happens:
1. The Installation Fails
When you run dnf install, the process will reach the "Transaction Check" phase. If the GPG signature verification fails, DNF will display an error message and exit. It will not install the package files.
2. Standard Error Messages
You will typically see an error like this in your terminal:
Public key for package.rpm is not installed(The signature exists, but you don't have the key).Package package.rpm is not signed(The repo requires signatures, but the package doesn't have one).GPG check FAILED(The key is present, but the signature is wrong—this is a serious red flag).
3. Safety Mechanism
Because the signature doesn't match the key, DNF treats the package as compromised. It assumes the package has been tampered with by a third party or that the repository has been hacked.
Can you bypass it?
Technically, yes, but it is highly discouraged in production. You can bypass the check using the --nogpgcheck flag:
sudo dnf install <package_name> --nogpgcheckWarning: Only do this if you are 100% sure the source is safe (e.g., a local package you built yourself).
Why might a key be "Invalid"?
- Expiration: Like a passport, GPG keys have expiration dates. If the developer hasn't updated the key on your system, it will be marked as invalid.
- Corrupted Download: The package might have been partially downloaded or corrupted during transit.
- Malicious Activity: Someone actually modified the software, changing its digital "fingerprint."
- Wrong Key: You might have imported a GPG key for RHEL 8, but you are trying to install a package meant for RHEL 9.
Summary: If the GPG key is invalid, DNF acts as a security guard and refuses to open the door, ensuring no untrusted code runs on your machine.
