openSUSE:Libzypp metadata signature
Metadata Signature Model
The model works as follow.
A package has its checksum. The metadata listing this file lists its checksum. Any other metadata referencing a metadata file also lists the checksum of the file. It is impossible to change the checksum of the package in a metadata file without altering the checksum of the metadata file which lists the package's checksum.
A chain of checksum list is created until the master index. The master index contains the checksums of the next metadata files in the chain.
The master index is signed with a private key. The signature and the public key are made available in the repository.
If you try to change the master index, you will break the signature.
The public key is not really necessary. But you need to have it in order to check if the master index signature was generated with that key.
SUSE model uses RPM key lists as the trusted key list. When the package manager is started, all rpm keys are imported into a runtime temporal trusted keyring. All keys read from repositories are placed into the non-trusted temporal runtime keyring (if they are not already present in the trusted keyring).
The follow workflow is followed: