Signing Key / Signature Tracking use cases

[dralley]

This thread is for a discussion about different use cases around tracking, management and enforcement of package signatures

[dralley]

As a user, I want to be able to query or track which packages have been signed by which keys

Covers:

• Representation of key metadata in Pulp and how it is queried

[dralley]

As a user, I would like to be able to attest / enforce that all packages in repo X are signed by a trusted key

Questions:

• "a" key? We probably need to upload a keyring / multiple acceptable public keys. Subkeys, multiple keys per org, etc.

Covers:

• Representation of key metadata in Pulp and how it is queried
• Workflows

[dralley]

As a user, I would like to verify package signatures of incoming packages against known public keys

Questions:

• Same questions about public key management apply

Covers:

• Sync-time implementation details and subsequent consequences
• Upload-time implementation details and subsequent consequences

[dralley]

As a user, I would like to be able to inspect some information about the keys (algorithm, fingerprint, key ID, signature version)

Questions:

• Same questions about public key management apply
• How to store the metadata?