Comment # 1 on bug 1184808 from 
The basic idea:

- Inside the signed repodata.xml one can list additional gpg keys which should
be
suggested to be imported along with the key signing the metadata.

  [repomd.xml]
    <repomd>
      <tags>
        <content>gpg-pubkey-0dfb3188-41ed929b.asc</content>
      </tags>
      <data ....

We'd expect a tag matching:

    gpg-pubkey-{KEYID}-.*

to denote an (optional) file in the repos root containing an ascii armored key
with ID
{KEYID}. If key {KEYID} is not already in the rpmdb, we'd try to download the
file. 

If it actually contains a key with this ID, we'd ask whether the user wants to
trust and import the key like we do for the key signing the metadata.

You are receiving this mail because: