What to do when yum tells you that a package isn't signed

First off, what the hell is GPG signing, and why is it used? Basically, it's a method that yum repository maintainers (among other people) can use to guarantee that when a user downloads a package from the repo, it is what it says it is. When a package maintainer signs a package, they give out the public key so that users can check it against the downloaded file to verify the authenticity of said file. This is done automatically by the yum program. But sometimes, for whatever reason, a package maintainer either skips signing or just forgets to. In this case, you have to do a little editing of the repo file.

The first thing you have to do is locate the repo file. It usually resides in /etc/yum.repos.d/. I deal with Redhat based distros mostly (CentOS, Fedora, RH), so if that's not where your distro keeps its yum repo files, your mileage may vary. Regardless, once you find the offending repo, simply change the value of gpgcheck from 1 to 0.

That's it! Once you do that and save the file, try to install/update the package again, and it'll go through. As a courtesy, you might want to give the repo maintainer a heads-up to let them know that some of their packages aren't signed. They may already know, but it really can't hurt to let 'em know again.