> > An RFE for yum has been to provide a list of gpg keyids that are valid > > per-repository. > > > > So then the gpgcheck process would be: > > > > 1. check if the sig exists > > 2. check if the sig is valid > > 3. if both are true, check to see if the keyid matches on the allowed > > keyid for packages from that repo. > > A couple of questions here. > > - What key is used for this purpose (to sign the metadata)? > - Where does the user store this public key? > - What prevents the clueless users from having the same expecation from > a gpg-signed metada-repo as they have with gpg-signed packages? This is just based on keys in your rpmdb. The idea is this: if you have 3 repos available to yum. They are signed with 3 separate gpg keys. So you've imported all the keys into your rpmdb. The whole point of the feature I described before is so you can say: the only packages I want from this repository are signed with _this_ key. If you get a package from this repository that is signed with any other key, even if I have that key in my rpmdb, don't trust it. -sv