From 8b521fc7221d33b08a76967014c877fef8a7db2c Mon Sep 17 00:00:00 2001
From: Ales Bregar <ales.bregar@eventim.de>
Date: Tue, 12 Aug 2025 17:58:45 +0200
Subject: [PATCH] updating REST api with multiple gpg keys support, due
 backwards compatibility introducing CSV under same key (gpg-key)

---
 api/publish.go  | 20 +++++++++++++++++---
 docs/Publish.md |  6 +++++-
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/api/publish.go b/api/publish.go
index 633fdc34..b1f00f6b 100644
--- a/api/publish.go
+++ b/api/publish.go
@@ -16,8 +16,8 @@ import (
 type signingParams struct {
 	// Don't sign published repository
 	Skip bool `                json:"Skip"           example:"false"`
-	// GPG key ID to use when signing the release, if not specified default key is used
-	GpgKey string `            json:"GpgKey"         example:"A0546A43624A8331"`
+	// GPG key ID(s) to use when signing the release, CSV if multiple keys, if not specified default configured key(s) are used
+	GpgKey string `            json:"GpgKey"         example:"KEY_ID_a,KEY_ID_b"`
 	// GPG keyring to use (instead of default)
 	Keyring string `           json:"Keyring"        example:"trustedkeys.gpg"`
 	// GPG secret keyring to use (instead of default) Note: depreciated with gpg2
@@ -41,7 +41,21 @@ func getSigner(options *signingParams) (pgp.Signer, error) {
 	}
 
 	signer := context.GetSigner()
-	signer.SetKey(options.GpgKey)
+
+	var multiGpgKeys []string
+	// REST params have priority over config
+	if options.GpgKey != "" {
+		for _, p := range strings.Split(options.GpgKey, ",") {
+			if t := strings.TrimSpace(p); t != "" {
+				multiGpgKeys = append(multiGpgKeys, t)
+			}
+		}
+	} else if len(context.Config().GpgKeys) > 0 {
+		multiGpgKeys = context.Config().GpgKeys
+	}
+	for _, gpgKey := range multiGpgKeys {
+		signer.SetKey(gpgKey)
+	}
 	signer.SetKeyRing(options.Keyring, options.SecretKeyring)
 	signer.SetPassphrase(options.Passphrase, options.PassphraseFile)
 
diff --git a/docs/Publish.md b/docs/Publish.md
index 4175b631..40cacbfe 100644
--- a/docs/Publish.md
+++ b/docs/Publish.md
@@ -25,7 +25,11 @@ Public part of the key should be exported from your keyring using `gpg --export
 ```
 aptly publish repo my-repo --gpg-key=KEY_ID_a --gpg-key=KEY_ID_b
 ```
-* If `--gpg-key` is specified on the command line, it takes precedence over any gpgKeys configuration in `aptly.conf`.
+* When using the REST API, the `gpgKey` parameter supports a comma-separated list of key IDs:
+```
+"gpgKey": "KEY_ID_a,KEY_ID_b"
+```
+* If `--gpg-key` is specified on the command line, or `gpgKey` is provided via the REST API, it takes precedence over any gpgKeys configuration in aptly.conf.
 * With multi-key support, aptly will sign all Release files (both clearsigned and detached signatures) with each provided key, ensuring a smooth key rotation process while maintaining compatibility for existing clients.
 
 #### Parameters