I wrote that I would double-check how secure the module selection and downloading is in Puppet.
puppet module resolves, fetches and downloads unsigned tarballs
from a HTTP source and unpacks them without any verification whatsoever.
Related: I've been looking at
yum GPG behaviour.
checking the signature of RPMs as a separate operation from installing
them. You can't ask it to not install a package if the signature is
absent or not correct.
yum is better when dealing with repositories. It can be told to check
the GPG signature on all RPMs both globally (the
[main] section of
yum.conf) and on a per-repository basis. GPG signature checking can
be disabled on the command line with
--nogpgcheck. It cannot be
selectively enabled on the command line.
yum install can install local RPMs and RPMs on web servers
as well as from repositories. In both of these cases, it will not check
the GPG signature at all, no matter what you've put in your
Finally, even if all the above worked properly, the GPG keys published by Fedora have almost no public signatures (none at all for EPEL), so neither you nor I could establish a trust path to them. Luckily I can establish a trust path to the RH security key.