This would be really handy for signing Debian repositories as well. For Debian packaging, we just GPG-sign (clearsign) the "Release" file in the repository metadata. It's a text file, similar to repomd.xml.

Maybe a generalized "clearsign" feature?

@ktdreyer That might be an idea, sure.
Do note though that Sigul already supports it, and the part that would need robosignatory code is the part where it actually connects a specific fedmsg message to figuring out which file to sign, and perform that.
So do you have an idea which fedmsg you'd like to trigger that on, and where in that message it can find the information needed to find the file to request signing for?

Strawman proposal:

We have a new "sign-text-request" queue and "sign-text-response" topic.

A fedmsg client (could be a CLI or library, whatever) would post a message to the "sign-text-request" queue. This message would contain the textual contents of repomd.xml.

Robosignatory listens for sign-text-request messages, and writes the textual contents to a tempfile. It then GPG-signs the file (delegating to sigul here). It posts the original text and the detached ascii-armor signature in a new message to the "sign-text-response" topic.

The fedmsg client would need to post to the "-request" queue and then wait for the message back on the "-response" topic.

A typical signed ubuntu.com Release file is roughly 236kb: http://archive.ubuntu.com/ubuntu/dists/bionic/InRelease . In practice, these are smaller for smaller repositories, like http://ppa.launchpad.net/git-core/ppa/ubuntu/dists/bionic/InRelease is 15kb .

@ktdreyer what would be involved in implementing this feature? QubesOS wants to implement it once it has started signing its own metadata.

I don’t consider the DNF limitation to actually be a blocker. There is no harm in generating the signatures, even if we cannot make checking them the default yet.

https://pagure.io/koji/issue/2636

I am going to be implementing this.

@ktdreyer would you mind reviewing https://pagure.io/robosignatory/pull-request/51? The core assumption made is that fedmsg handles access control.