Remove dependence on GPG (or ensure we are agnostic to a specific GPG implementation) #7479
Description
Version
All
Describe the bug
GnuPG has decided to fork the OpenPGP standard and do their own thing, with LibrePGP, in protest of some of the post-quantum signature changes. But they are pretty much alone in this, as the rest of the ecosystem including RH is following and/or pushing for IETF standards.
The fallout of this is:
Yes. GnuPG does not have plans to support PQC signatures at the moment, and once they do, their implementation will likely be incompatible with OpenPGP, which we are using.
Also, we are planning to remove GnuPG from RHEL 11, so you'd end up stuck maintaining your own copy.
Therefore, we need to ensure that Pulp is not so closely tied to GPG itself that we won't be able to work on RHEL 11. Presumably there will be some GPG-compatible replacement CLI tool, and we will need to test against that and make sure it can be accessed.
Specifically we use python-gnupg to access system keyrings here: https://github.com/pulp/pulpcore/blob/main/pulpcore/app/management/commands/add-signing-service.py#L75-L77
And we will want to make sure that can continue to work.
We also will want an audit of the plugins.
Additional context