On 01/26/2017 04:30 PM, Lamar Owen wrote: > On 01/26/2017 12:14 PM, Johnny Hughes wrote: >> The testing RPMs are not signed .. they are straight from CBS. Does the >> testing repo not have 'gpgcheck=0'? > Ok, thanks. Given the level of system interaction that qemu/kvm has, > it would be an ideal vector for malware, and package signing prevents > this. My copy of the repo file has the following: > +++++++++++ > [centos-qemu-ev-test] > name=CentOS-$releasever - QEMU EV Testing > baseurl=http://buildlogs.centos.org/centos/$releasever/virt/$basearch/kvm-common/ > > gpgcheck=1 > enabled=0 > gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Virtualization > The update pulled in a new .repo file as part of the release package, and this stanza now shows gpgcheck=0