Hi @nem
There’s a difference between Yum and Deb content:
- Yum: Packages are signed by the OS vendor (Red Hat, Oracle, Fedora Project, AlmaLinux, etc) or the software vendor (e.g. nginx signs its RPM packages). If you sync those to Foreman+Katello, the signature stays on the RPM package; Katello/Pulp does not resign the packages. → Clients have to verify the signature of the packages with the GPG pub key of the original OS/software vendor. You can get associated GPG pub keys from the Katello API.
- Deb: In the Debian/Ubuntu world, metadata of APT repositories are signed (e.g. Release.gpg and InRelease on Index of /debian-security/dists/bookworm-security). If you synchronize Deb content to Foreman+Katello, Katello will check the signature of the metadata before synchronizing it if you associate content credentials. When you do content management (e.g. creating CVs, filtering content, etc), then Pulp will re-create the APT repository metadata. Afterwards, Katello will sign the APT repo metadata with its own key. Clients have to use the pulp_deb_signing.key from your Foreman+Katello instance to verify the authenticity.
You can see the difference in Registering a Debian host compared to Registering an Oracle Linux host documentation for orcharhino (an enterprise product based on Foreman+Katello).