What happened earlier about the broken repository signature: we
simply forgot to update the signature after creating the
metadata (it's a bit more complex, but in essence, it's what
happened).
This is fixed now, and all mirrors [1] should be up-to-date with
correct signatures.
Most of you who have been using the Packman repository for some
time probably remember the hassle that YaST and zypper were
always complaining about "NOKEY" on the packages.
The reason was that our packages were signed with a different
key than the repository metadata.
Zypper and YaST have a mechanism to import keys when you refresh
a repository for the first time: it's when it prompts you
whether you want to accept that key temporarily/always/etc...
The problem for Packman is that it imports the key
(repodata/repomd.xml.key) that is used to sign the repository
metadata (repodata/repomd.xml.asc), but it doesn't have any
mechanism to also import another key that is used to sign the
RPM files (the signatures are inside the RPM files).
Now we implemented a mechanism to re-sign the packages with the
same key as the one used for the repository metadata and, hence,
there won't be any "NOKEY" warnings nor any need to install the
package "rpmkey-packman" any more.
On a side note, here is the relevant data about that key:
* it's a 4096 RSA key
* Key ID: 45A1D0671ABD1AFB
(shows up as ID "1ABD1AFB" in RPM)
* Key Name: PackMan Project (signing key)