Merge pull request #4546 from cgwalters/doc-gpg-keys

man: Describe GPG key behavior
coreos · Aug 25, 2023 · ac1ad48 · ac1ad48
2 parents 00a1eb6 + 6033e5a
commit ac1ad48
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/man/rpm-ostree.xml b/man/rpm-ostree.xml
@@ -897,6 +897,31 @@ $ systemctl start postgresql  # Some setup required
 
   </refsect1>
 
+  <refsect1>
+    <title>Repository configuration and GPG keys</title>
+
+    <para>
+      rpm-ostree uses the libdnf shared library, which honors <literal>/etc/yum.repos.d</literal>.
+      Note that rpm-md (yum/dnf) repositories are only checked if client-side package layering is
+      enabled.
+    </para>
+
+    <para>
+      However, the behavior for GPG keys is slightly different from a traditional <command>rpm</command>
+      system.  Essentially, all GPG keys in <literal>/etc/pki/rpm-gpg</literal> are loaded and trusted.
+      The <literal>.repo</literal> file should reference the file path in there.
+    </para>
+    <para>
+      The <literal>rpm --import /path/to/key.gpg</literal> command will not function today on a
+      live/booted system because rpm tries to write directly to the RPM database.
+    </para>
+
+    <para>
+      However, during a container build process, the RPM database is writable and such changes will
+      persist.
+    </para>
+  </refsect1>
+
   <refsect1>
     <title>See Also</title>