Excerpts from Dan Callaghan's message of 2018-03-15 15:07 +10:00:

Back in September 2016, we began publishing GPG-signed RPM packages in our server and client yum repos here:

https://beaker-project.org/yum/

Due to some rearrangements in how we are handling our builds, starting tonight these repos will no longer contain signed packages. If you have gpgcheck=1 in /etc/yum.repos.d/ you will need to change this back to gpgcheck=0. Sorry for the inconvenience.

In future we want to get this signing process going again and we will be looking at ways to enable that.

Just to follow up on this... The server and client repos for RHEL are *back* to being signed again. I have updated the .repo files to have gpgcheck=1 and point at the appropriate GPG keys.

Note that the GPG signing key we are using is different to the one we had used in the past. The old one is NOT revoked or compromised but we are simply not using it anymore due to changes in the way we are producing and signing these builds.

Please also note that the RPM files have been replaced with their signed versions although the NVR is unchanged. As a consequence, yum may get confused if it uses older cached repodata which specifies a different size and checksum for the file (unsigned rather than signed). In this case you may see an error from yum like: "Package does not match intended download". As a workaround, you can run "yum clean expire-cache".

The harness repos remaining unsigned for now, as do the *-testing repos.

The server and client repos for Fedora are also still unsigned for now, I am still working on this. At this stage it is more likely we will get all packages into Fedora itself and remove these repos instead.