{{% if pkg_version %}}
{{# If pkg_version isn't defined, then the rule should be NOTCHECKED, because we don't have data needed for the check #}}
<def-group>
  <definition class="compliance" id="ensure_suse_gpgkey_installed" version="2">
    {{{ oval_metadata("The Red Hat release and auxiliary key packages are required to be installed.", rule_title=rule_title) }}}
    <criteria comment="Vendor GPG keys" operator="OR">
      <criteria comment="SUSE Vendor Keys" operator="AND">
        <criteria comment="SUSE Installed" operator="OR">
          <extend_definition comment="{{{ product }}} installed" definition_ref="installed_OS_is_{{{ product }}}" />
        </criteria>
        <criterion comment="package gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}} is installed"
        test_ref="test_suse_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" />
      </criteria>
    </criteria>
  </definition>

  <!-- First define global "object_suse_package_gpg-pubkey" to be shared (reused) across multiple tests -->
  <linux:rpminfo_object id="object_suse_package_gpg-pubkey" version="1">
    <linux:name>gpg-pubkey</linux:name>
  </linux:rpminfo_object>

  <!-- Perform the particular tests themselves -->
  <!-- Test for SUSE release key -->
  <linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
  id="test_suse_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" version="1"
  comment="SUSE build key package is installed">
    <linux:object object_ref="object_suse_package_gpg-pubkey" />
    <linux:state state_ref="state_suse_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" />
  </linux:rpminfo_test>

  <linux:rpminfo_state id="state_suse_package_gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}}" version="1">
    <linux:release>{{{ pkg_release }}}</linux:release>
    <linux:version>{{{ pkg_version }}}</linux:version>
  </linux:rpminfo_state>

</def-group>
{{% endif %}}