Feature changed by: Marcus Meissner (msmeissn)
Feature #324163, revision 5
Title: Embed GPG key in the .YMP files of meta-package-handler
Requested by: Marcus Meissner (msmeissn)
Partner organization: openSUSE.org
Security is currently trying to improve the security of adding
additional package repositories.
We are trying to add https support to download.opensuse.org
provided repository URLs.
One suggestion from a openSUSE user was to add GPG keys in the Yast
Metapackage YMP files.
Can we embed GPG files into the YMP files and have the yast2-meta-
package-handler handle it?
- trackerbug (bugzilla/id: 1060955)
- We want to safely enable repositories.
has gained https support and we can now download .
- YMP files over https connection.
+ We want to safely enable repositories supplyable by searchable
+ For instance software.opensuse.org
has gained https support and we can
+ now download .YMP files over https connection.
But the repositories listed inside are "http" as long as we have not
converted the download.opensuse.org
framework to be https capable.
So an idea by a community user was to include the GPG information
within the .YMP file, so addition of repositories and establishing
trust could happen at the same time.
+ On clicking the YMP file, the repositories would be added and the GPG
+ keys supplied into the RPM keyring.