diff -up yum-3.4.3/docs/yum.conf.5.orig yum-3.4.3/docs/yum.conf.5

--- yum-3.4.3/docs/yum.conf.5.orig	2017-03-23 13:48:19.700471026 +0100

+++ yum-3.4.3/docs/yum.conf.5	2017-03-23 13:48:21.455461060 +0100

@@ -105,6 +105,31 @@ signature check on the repodata. When th

 default for all repositories. The default is `0'.

 .IP

+\fBpayload_gpgcheck\fR

+Either `1' or `0'. This tells yum whether or not it should also perform a GPG

+signature check on the payload (part of a package holding the actual files that

+comprise the package).

+

+By default, yum only performs GPG signature checks on package headers.

+Thus, if the payload data has been tampered with or corrupted, yum will fail in

+the middle of the transaction due to an RPM unpacking error, after some

+unverified scriptlets might have already run, and possibly leave the package in

+question partly installed.

+

+To prevent all of that, you can enable this option to extend the signature

+check to also include the payload, so that yum can avoid running the

+transaction in case of payload corruption.

+This slightly improves security, however at the expense of significantly

+increased transaction time, so you may want to only use this option when

+package corruption is a concern.

+

+For this option to have effect, make sure to also enable gpgcheck (or

+localpkg_gpgcheck for local packages).

+

+When this option is set in the [main] section it sets the default for all

+repositories. The default is `0'.

+

+.IP

 \fBskip_broken\fR

 Either `1' or `0'. Resolve depsolve problems by removing packages that

 are causing problems from the transaction.

diff -up yum-3.4.3/rpmUtils/miscutils.py.orig yum-3.4.3/rpmUtils/miscutils.py

--- yum-3.4.3/rpmUtils/miscutils.py.orig	2011-06-28 22:27:22.000000000 +0200

+++ yum-3.4.3/rpmUtils/miscutils.py	2017-03-23 13:48:21.455461060 +0100

@@ -58,11 +58,16 @@ def compareVerOnly(v1, v2):

     """compare version strings only using rpm vercmp"""

     return compareEVR(('', v1, ''), ('', v2, ''))

-def checkSig(ts, package):

-    """Takes a transaction set and a package, check it's sigs, 

+def checkSig(ts, package, payload=False):

+    """Takes a transaction set and a package, check it's sigs.

+

+    By default, only RPMv4 sigs (header-only) will be verified (faster).  By

+    setting payload to True, RPMv3 sigs (header+payload) will also be verified

+    (slower).

+

     return 0 if they are all fine

     return 1 if the gpg key can't be found

-    return 2 if the header is in someway damaged

+    return 2 if the header or payload is in someway damaged

     return 3 if the key is not trusted 

     return 4 if the pkg is not gpg or pgp signed"""

@@ -89,6 +94,24 @@ def checkSig(ts, package):

         else:

             del hdr

+    # Don't perform the payload check if the header check failed, otherwise we

+    # could mask the reason stored in "value" (we only return one integer from

+    # this function and shouldn't change that).

+    if payload and value == 0:

+        os.lseek(fdno, 0, 0)

+        # We don't want the OK message to pollute the output but we do want the

+        # BAD message (verbose version) in case of a failure, which is only

+        # possible by running _verifySigs() twice (temporary hack until we have

+        # the proper API for payload verification in RPM).

+        rpm.setVerbosity(rpm.RPMLOG_WARNING)

+        valid = ts._verifySigs(fdno, package)

+        if not valid:

+            value = 2

+            os.lseek(fdno, 0, 0)

+            rpm.setVerbosity(rpm.RPMLOG_INFO)

+            ts._verifySigs(fdno, package)

+        rpm.setVerbosity(rpm.RPMLOG_NOTICE)

+

     try:

         os.close(fdno)

     except OSError, e: # if we're not opened, don't scream about it

diff -up yum-3.4.3/rpmUtils/transaction.py.orig yum-3.4.3/rpmUtils/transaction.py

--- yum-3.4.3/rpmUtils/transaction.py.orig	2017-03-23 13:48:19.441472497 +0100

+++ yum-3.4.3/rpmUtils/transaction.py	2017-03-23 13:48:21.455461060 +0100

@@ -35,7 +35,8 @@ class TransactionWrapper:

                          'setProbFilter',

                          'hdrFromFdno',

                          'next',

-                         'clean']

+                         'clean',

+                         '_verifySigs']

         self.tsflags = []

         self.open = True

diff -up yum-3.4.3/yum/config.py.orig yum-3.4.3/yum/config.py

--- yum-3.4.3/yum/config.py.orig	2017-03-23 13:48:19.701471020 +0100

+++ yum-3.4.3/yum/config.py	2017-03-23 13:48:21.456461055 +0100

@@ -46,6 +46,7 @@ from misc import get_uuid, read_in_items

 # Alter/patch these to change the default checking...

 __pkgs_gpgcheck_default__ = False

 __repo_gpgcheck_default__ = False

+__payload_gpgcheck_default__ = False

 __main_multilib_policy_default__ = 'all'

 __main_failovermethod_default__ = 'roundrobin'

 __main_installonly_limit_default__ = 0

@@ -786,6 +787,7 @@ class YumConf(StartupConf):

     gpgcheck = BoolOption(__pkgs_gpgcheck_default__)

     repo_gpgcheck = BoolOption(__repo_gpgcheck_default__)

     localpkg_gpgcheck = BoolOption(__pkgs_gpgcheck_default__)

+    payload_gpgcheck = BoolOption(__payload_gpgcheck_default__)

     obsoletes = BoolOption(True)

     showdupesfromrepos = BoolOption(False)

     enabled = BoolOption(True)

diff -up yum-3.4.3/yum/__init__.py.orig yum-3.4.3/yum/__init__.py

--- yum-3.4.3/yum/__init__.py.orig	2017-03-23 13:48:19.731470850 +0100

+++ yum-3.4.3/yum/__init__.py	2017-03-23 13:48:21.456461055 +0100

@@ -2755,7 +2755,9 @@ much more problems).

         if check:

             ts = self.rpmdb.readOnlyTS()

-            sigresult = rpmUtils.miscutils.checkSig(ts, po.localPkg())

+            sigresult = rpmUtils.miscutils.checkSig(

+                ts, po.localPkg(), payload=self.conf.payload_gpgcheck,

+            )

             localfn = os.path.basename(po.localPkg())

             if sigresult == 0: