1.2.3 Ensure gpgcheck is globally activated (Scored)

Level 1 - Server 
Level 1 - Workstation

The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation.

It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.

Run the following command and verify gpgcheck is set to “1”:

# grep ^gpgcheck /etc/yum.conf 
gpgcheck=1

Run the following command and verify that all instances of gpgcheck returned are set to “1”:

# grep ^gpgcheck /etc/yum.repos.d/*

Edit /etc/yum.conf and set gpgcheck=1 in the [main] section.
Edit any failing files in /etc/yum.repos.d/* and set all instances of gpgcheck to “1”.