Good evening,

I have a customer who is requesting the option within Satellite to sign repo metadata per STIG compliance guidelines.

I do see that repo_gpgcheck=1 is not yet supported per this related BZ:

Bug 1360939 - Putting repo_gpgcheck=1 into yum.conf causes 404 Errors
https://bugzilla.redhat.com/show_bug.cgi?id=1360939

However, as the customer is asking for repo metadata signing capability for Satellite software specifically, I thought it might be worthwhile to open a low-severity RFE at the very least.

From the customer:

~~~
DISA STIG requires that yum repo metadata be signed as well as the rpms themselves. Satellite however does not support the ability to sign the repo metadata itself.

The following is a link to the scap-security-guide requirement to have this turned on

https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/oval/ensure_gpgcheck_repo_metadata.xml

(The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.)

This is marked as a CAT I security setting and will be highly visible to our customer if left turned off.

The request is to give Satellite the ability to select if the metadata should be signed with the key provided for rpm verification.
~~~