Information
The repo_gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, will perform a GPG signature check on the repodata.
Rationale:
It is important to ensure that the repository data signature is always checked prior to installation to ensure that the software is not tampered with in any way.
Impact:
Not all repositories, notably RedHat, support repo_gpgcheck. Take care to set this value to false (default) for particular repositories that do not support it. If enabled on repositories that do not support repo_gpgcheck installation of packages will fail.
Research is required by the user to determine which repositories is configured on the local system and, from that list, which support repo_gpgcheck.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Global configuration
Edit /etc/dnf/dnf.conf and set repo_gpgcheck=1 in the [main] section.
Example:
[main]
repo_gpgcheck=1
Per repository configuration
First check that the particular repository support GPG checking on the repodata.
Edit any failing files in /etc/yum.repos.d/* and set all instances starting with repo_gpgcheck to 1.