Bug 1227617

Summary: RFE: Automatic deployment of Package/Channel Signing Keys
Product: [Community] Spacewalk Reporter: Jonathan Hoser <jonathan>
Component: ServerAssignee: Tomas Lestach <tlestach>
Status: CLOSED NOTABUG QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.3CC: jdobes, mmraka
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-28 13:09:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 737830    

Description Jonathan Hoser 2015-06-03 07:02:53 UTC 
Description of problem:

Every time we add a new Channel, we may (or may not) add 'Security: GPG' information on the channels signing key;

However these keys/values are not used afaik (I'd be pleased to be proven wrong).

When deploying/adding a new software channel to a system,
we still need to more or less manually deploy the signing key via 

rpm --import ./somekey

because otherwise yum/... will complain about the unknown key.

Now to the RFC:
IF we already have all the information (the 'Security: GPG' section),
why can't we automatically import a thus given key on a system where the 
software channel is added?
Comment 1 Michael Mráka 2020-02-28 13:09:15 UTC 
GPG key value is actually used by yum/dnf on client to import the key.

However yum/dnf spacewalk plugin only allows to import keys from local /etc/pki/rpm-gpg/.
This is for security reasons - you'd download both packages and a key from the (same) remote site then verification would be useless as attacker could forge both the packages and the key.