6.11. YUM Repo Issues
This FAQ covers various issues that relate to YUM repositories and SIMP systems.
6.11.1. Global repo_gpgcheck=1
repo_gpgcheck should only be done against repositories that
you ultimately trust. Doing otherwise could allow untrusted repository
maintainers to compromise your system.
More information can be found on this SCAP Security Guide Mailing List Thread.
When SIMP is set into STIG enforcing mode using the SIMP Compliance Engine,
it will automatically flip the global
repo_gpgcheck setting to
accordance with the STIG.
To mitigate this, you can modify the global settings by changing the
appropriate value in the
yum::config_options Hash. However, doing this will
show as a finding during STIG compliance scans.
Alternatively, you can update each repository that is having issues and disable GPG checking for just that repository using the yumrepo puppet resource.