An RFE for yum has been to provide a list of gpg keyids that are valid per-repository.
So then the gpgcheck process would be:
- check if the sig exists
- check if the sig is valid
- if both are true, check to see if the keyid matches on the allowed
keyid for packages from that repo.
A couple of questions here.
- What key is used for this purpose (to sign the metadata)?
- Where does the user store this public key?
- What prevents the clueless users from having the same expecation from a gpg-signed metada-repo as they have with gpg-signed packages?
This is just based on keys in your rpmdb.
The idea is this:
if you have 3 repos available to yum.
They are signed with 3 separate gpg keys. So you've imported all the keys into your rpmdb. The whole point of the feature I described before is so you can say:
the only packages I want from this repository are signed with _this_ key. If you get a package from this repository that is signed with any other key, even if I have that key in my rpmdb, don't trust it.
-sv