Koji already signs packages

Not quite true. Koji records rpm signatures. It can splice different signature headers in and out, but it cannot generate them by itself.

I think the current workaround would be to generate the dist repo through Koji and manually sign the repodata afterwards.

We might want to add a call that allows another tool to add a signature to a dist repo, allowing such a tool to work without direct rw access to /mnt/koji

Note there there's really not much to the actual signing part. Pretty much just:

$ gpg --detach-sign --armor repodata/repomd.xml

Closing this as doing signing is outside the scope of Koji. However, for anyone interested in this functionality, https://taiga.fedorainfracloud.org/project/acarter-fedora-docker-atomic-tooling/us/799?kanban-status=145 has good discussion on the approach that Fedora considered and why they ended up not going with signed repos.

@dgregor Signing should not be outside the scope of Koji. It has always been a mistake that Koji considers signing packages and repodata to be outside its purview, when everyone realistically considers it part of building and releasing software.

With Koji having dist-repos and such, there's literally no reason that functionality shouldn't exist as part of Koji.

Ticket for supporting signing repomd.xml in Pungi: https://pagure.io/pungi/issue/506

Ticket for supporting signing repomd.xml via Robosignatory: https://pagure.io/robosignatory/issue/14

We talked about this in the Koji community meeting today. It might be possible to make the builder that runs the distRepo task also run gpg (or another command) to sign the metadata at the end of the task. It's possible that we could implement this as a kojid plugin as a proof-of-concept before it goes into the main Koji tree.