https://bugzilla.suse.com/show_bug.cgi?id=1184808 https://bugzilla.suse.com/show_bug.cgi?id=1184808#c1 --- Comment #1 from Michael Andres <ma@suse.com> --- The basic idea: - Inside the signed repodata.xml one can list additional gpg keys which should be suggested to be imported along with the key signing the metadata. [repomd.xml] <repomd> <tags> <content>gpg-pubkey-0dfb3188-41ed929b.asc</content> </tags> <data .... We'd expect a tag matching: gpg-pubkey-{KEYID}-.* to denote an (optional) file in the repos root containing an ascii armored key with ID {KEYID}. If key {KEYID} is not already in the rpmdb, we'd try to download the file. If it actually contains a key with this ID, we'd ask whether the user wants to trust and import the key like we do for the key signing the metadata. -- You are receiving this mail because: You are on the CC list for the bug.