It'd be great if we could sign the testing repositories so that we can include the testing repositories in the SIGs respective repository defintions packages (e.g. centos-release-hyperscale) to make them easily available to users and developers for testing. Currently we're hesitant about adding the testing repositories to the repository definitions packages because the packages in there are unsigned. If the packages were signed, this wouldn't be an issue.
I think this ticket is perhaps better filed with the Infrastructure SIG.
This seems reasonable to me from a policy standpoint. From an implementation standpoint, we probably want to use a different key, so that there's no confusion. Given that we already have "testing" keys for CentOS proper, doing the same for SIGs should be fine. So we'd have e.g. RPM-GPG-KEY-CentOS-SIG-HyperScale-Testing and sign the testing RPMs with it, while the prod ones continue to be signed with the regular RPM-GPG-KEY-CentOS-SIG-HyperScale key. I agree with @jwboyer that implementation belongs with Infra once there's agreement.
Per the March 2023 board meeting: We'd like to have the content signed.
Having two different keys can help clarify things are non-production, but creates confusion when it gets promoted. One key may be better.
Please reach out to Infra for implementation details/process/etc.
to comment on this ticket.
SSH Hostkey/Fingerprint | Documentation