What were you trying to do that didn't work?

When _sig_check_pkg in dnf/base.py encounters an untrusted GPG public key (sigresult == 3), it should return result = 2 (fatal) if no GPG key is configured for the repo, and result = 1 (retryable) if a GPG key is configured. However, a stray result = 1 on line 1408 unconditionally overwrites the conditional assignment, so result is always 1 regardless of hasgpgkey.

What is the impact of this issue to you?

When a package is signed with an untrusted key and the repo has no gpgkey configured, dnf treats it as a retryable condition (result = 1) instead of a fatal error (result = 2). This is inconsistent with the handling of sigresult == 1 (key not installed), which correctly distinguishes between the two cases.

Please provide the package NVR for which the bug is seen:

The bug was introduced 13 years ago and is present in all versions
I verified with dnf-4.14.0 of branch rhel-9-main from dist-git after applying all patches.

How reproducible is this bug?:

100%

Steps to reproduce

1.  Configure a repo without a gpgkey set
2.  Attempt to install a package signed with an untrusted GPG key
3.  Observe _sig_check_pkg returns result = 1 instead of result = 2

Expected results

result = 2 (fatal error) when hasgpgkey is False and the public key is untrusted, matching the behavior of the sigresult == 1 case.

Actual results

result = 1 (retryable) is always returned for sigresult == 3, regardless of hasgpgkey.
Fix: PR #2302