I can sign packages ONLY with gpg, and only with one key
As a user, I need the ability to use a different signing command. In some environments a Hardware Security Module may be used for signing, and interaction with it requires a different command line.
Also, I need the ability to determine which signature key to use based on the repository name.
This functionality has already been implemented in pulp_deb, and may be useful as a starting point for a central signing facility offered by pulpcore.
Extensible way to GPG-sign repository metadata.
In certain environments, GPG private keys are secured in an HSM,
instead of being in a keyring, unprotected by a passphrase.
This allows one to change the signing command, and passes
repository ID information as an envronment variable into
the signing command, in case different keys need to be used.
Please register to edit this issue