Information
The repo_gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, will perform a GPG signature check on the repodata.
It is important to ensure that the repository data signature is always checked prior to installation to ensure that the software is not tampered with in any way.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Global configuration
Edit /etc/dnf/dnf.conf and set repo_gpgcheck=1 in the [main] section.
Example:
[main]
repo_gpgcheck=1
Per repository configuration
First check that the particular repository support GPG checking on the repodata.
Edit any failing files in /etc/yum.repos.d/* and set all instances starting with repo_gpgcheck to 1
Impact:
Not all repositories, notably RedHat, support repo_gpgcheck Take care to set this value to false (default) for particular repositories that do not support it. If enabled on repositories that do not support repo_gpgcheck installation of packages will fail.
Research is required by the user to determine which repositories is configured on the local system and, from that list, which support repo_gpgcheck