diff -up yum-3.4.3/docs/yum.conf.5.orig yum-3.4.3/docs/yum.conf.5

--- yum-3.4.3/docs/yum.conf.5.orig	2017-10-26 11:13:52.013324456 +0200

+++ yum-3.4.3/docs/yum.conf.5	2017-10-26 11:15:37.733858789 +0200

@@ -106,28 +106,34 @@ default for all repositories. The defaul

 .IP

 \fBpayload_gpgcheck\fR

-Either `1' or `0'. This tells yum whether or not it should also perform a GPG

-signature check on the payload (part of a package holding the actual files that

-comprise the package).

-

-By default, yum only performs GPG signature checks on package headers.

-Thus, if the payload data has been tampered with or corrupted, yum will fail in

-the middle of the transaction due to an RPM unpacking error, after some

-unverified scriptlets might have already run, and possibly leave the package in

-question partly installed.

-

-To prevent all of that, you can enable this option to extend the signature

-check to also include the payload, so that yum can avoid running the

-transaction in case of payload corruption.

-This slightly improves security, however at the expense of significantly

-increased transaction time, so you may want to only use this option when

-package corruption is a concern.

+Either `1' or `0'. This tells yum whether or not it should perform a v3

+signature check on packages when \fBgpgcheck\fR (or \fBlocalpkg_gpgcheck\fR for

+local packages) is enabled.

+

+There are two types of GPG signatures generated by rpm: v3 (on header+payload)

+and v4 (on header only).  When rpm signs a package, it creates both types.  Yum

+can verify any of them before the transaction, depending on which options are

+set.  When \fBgpgcheck\fR is enabled and this option is disabled, yum will

+verify v4 signatures only.  When both \fBgpgcheck\fR and this option are

+enabled, yum will verify both v4 and v3 signatures (equivalent to running "rpm

+\-\-checksig").  The same rules apply to local packages and the

+\fBlocalpkg_gpgcheck\fR option accordingly.

+

+Since the header contains sha256 digests of individual files in the payload (a

+gzip-compressed cpio archive of files used in the package), verifying the

+header signature (v4) is sufficient to ensure authenticity and integrity of the

+whole package.  After rpm unpacks the payload, it moves the files to their

+destination paths one by one after they pass the digest check.  If a file

+doesn't pass, it won't be moved and the transaction will abort.  However,

+because no rollback is done in such a case, the package may end up in the

+partially installed state.

+

+By verifying v3 signatures, yum will detect payload tamper before the

+transaction.  While this will slightly increase processing time for big

+transactions and/or packages, it will prevent such broken installs and enhance

+security.

-For this option to have effect, make sure to also enable gpgcheck (or

-localpkg_gpgcheck for local packages).

-

-When this option is set in the [main] section it sets the default for all

-repositories. The default is `0'.

+The default is `0'.

 .IP

 \fBskip_broken\fR

diff -up yum-3.4.3/rpmUtils/miscutils.py.orig yum-3.4.3/rpmUtils/miscutils.py

--- yum-3.4.3/rpmUtils/miscutils.py.orig	2017-10-26 11:13:49.637334921 +0200

+++ yum-3.4.3/rpmUtils/miscutils.py	2017-10-26 11:15:43.141834969 +0200

@@ -61,8 +61,8 @@ def compareVerOnly(v1, v2):

 def checkSig(ts, package, payload=False):

     """Takes a transaction set and a package, check it's sigs.

-    By default, only RPMv4 sigs (header-only) will be verified (faster).  By

-    setting payload to True, RPMv3 sigs (header+payload) will also be verified

+    By default, only v4 sigs (header-only) will be verified (faster).  By

+    setting payload to True, v3 sigs (header+payload) will also be verified

     (slower).

     return 0 if they are all fine