## download.media_preference = download
##
+## Signature checking (repo metadata and downloaded rpm packages)
+##
+## boolean gpgcheck (default: on)
+## boolean repo_gpgcheck (default: unset -> according to gpgcheck)
+## boolean pkg_gpgcheck (default: unset -> according to gpgcheck)
+##
+## Explicitly setting 'gpgcheck', 'repo_gpgcheck' 'pkg_gpgcheck' in a
+## repositories .repo file will overwrite the defaults for this specific
+## repo.
+##
+## If 'gpgcheck' is 'on' (the default) we will check the signature of repo metadata
+## (packages are secured via checksum inside the metadata). Using unsigned repos
+## needs to be confirmed.
+## Packages from signed repos are accepted if their checksum matches the checksum
+## stated in the repo metadata.
+## Packages from unsigned repos need a valid gpg signature, using unsigned packages
+## needs to be confirmed.
+##
+## The above default behavior can be tuned by explicitly setting 'repo_gpgcheck'
+## and/or 'pkg_gpgcheck':
+##
+## 'repo_gpgcheck = on' same as the default.
+##
+## 'repo_gpgcheck = off' will silently accept unsigned repos. It will NOT turn off
+## signature checking on the whole, nevertheless it's not a secure setting.
+##
+## 'pkg_gpgcheck = on' will enforce the package signature checking and the need
+## to confirm unsigned packages for all repos (signed and unsigned).
+##
+## 'pkg_gpgcheck = off' will silently accept unsigned packages. It will NOT turn off
+## signature checking on the whole, nevertheless it's not a secure setting.
+##
+## If 'gpgCheck' is 'off' (not recommended), no checks are performed. You can still
+## enable them individually by setting 'repo_gpgcheck' and/or 'pkg_gpgcheck' to 'on'.
+##
+## NOTE:
+## BSC#1038984: For a short period of time, libzypp-16.15.x
+## will silently accept unsigned packages IFF a repositories gpgcheck
+## configuration is explicitly turned OFF like this:
+## gpgcheck = 0
+## repo_gpgcheck = 0
+## pkg_gpgcheck = 1
+## This will allow some already released products to adapt to the behavioral
+## changes introduced by fixing BSC#1038984, while systems with a default
+## configuration (gpgcheck = 1) already benefit from the fix in libzypp-16.15.x.
+## With libzypp-16.16.x the above configuration will reject unsigned packages
+## as it is supposed to do.
+##
+## DISABLING GPG CHECKS IS NOT RECOMMENDED.
+## Signing data enables the recipient to verify that no modifications
+## occurred after the data were signed. Accepting data with no, wrong
+## or unknown signature can lead to a corrupted system and in extreme
+## cases even to a system compromise.
+##
+# repo_gpgcheck = unset -> according to gpgcheck
+# pkg_gpgcheck = unset -> according to gpgcheck
+
+##
## Commit download policy to use as default.
##
## DownloadOnly, Just download all packages to the local cache.