Story #4812
Updated by dalley almost 5 years ago
(Clone of Pulp 2 issue https://pulp.plan.io/issues/3055)
To allow a Yum repository to be used with Yum clients that have repo_gpgcheck=1 configured in /etc/yum.conf:
Create a new GPG signing key that can be used by Pulp worker processes without a password. (Documentation provides example procedures.)
Append the public key associated with the new GPG signing key to the gpgkey file specified in the distributor config for the Yum repository in Pulp.
Set gpg_sign_metadata to True in the distributor config for the Yum repository in Pulp.
See also https://access.redhat.com/solutions/2850911
More detailed description from Neal Gompa (Conan_Kudo, Fedora contributor):
Signed repositories (for RPM repos) are when the `repomd.xml` file (the index file referencing all other parts of the RPM metadata) is signed using _a_ GPG key (but does not necessarily have to be the same key as the packages, though usually is) in the form of a detached signature (`repomd.xml.asc`) that is placed next to the `repomd.xml` file. Package managers like DNF, Zypper, and YUM can use this when `repo_gpgcheck=1` is set in the .repo file to validate the XML before reading it. SUSE systems _require_ this by default and will not normally fetch repos that are not signed. If the GPG key for the repository metadata differs from the packages' GPG key, its public key must _also_ be present in the `gpgkey=` list in the .repo file.
.