Trying to figure this out by myself has let me to the blog post already cited above, as well as this (even older, I think) page:
http://www.peterscheie.com/unix/automating_signing_with_GPG.html
gpg2 has changed some of the details, but I’ve got an unprotected DSA (signing-only) key created, loaded onto my repo server, and scripted to sign repomd.xml every time it’s updated. Updating the wiki is easy enough to do myself, of course.
But before I’d do that I’m wondering if this is the best way to go. The DSA key can only be used for signing, not decryption. And of course it’s readable only by root. But it’s still sitting on an Internet-facing server with no passphrase protection. I don’t really like this, but I’m having trouble seeing another way to automate signing the repomd.xml file. Thoughts?
I’d think that updating the NethServer.repo file in the relevant RPM would do this, but it seems that the new file has gone in as .rpmnew, so the repo check (or, for that matter, the package check) aren’t yet active.