I am trying to figure out a way to use gpgcheck=1 in a yum repo given the presence of unsigned packages. At the moment it seems to me that the valuable gpgcheck feature is rendered useless as soon as one package is unsigned, because yum will refuse to update or install anything if one package (to be updated) is unsigned and gpgcheck=1 is set. In order to automate updates on a large number of machines I have to do gpgcheck=0. Does the "tolerant" flag affect this behavior? The man page is silent on this (and many other features). It only gives an example of the kind of behavior "tolerant" causes. One idea for a solution would be to have my own local gpgcheck=0 repository of unsigned packages (since they are very few) and use gpgcheck=1 on other repositories. I am not sure how to do this however. I can create a local repository containing only the java sdk package, but how do I tell yum to use this repo for java-sdk instead of sl- errata, but use sl-errata for everything else?