CompTIA Linux+ XK0-006 (V8) Practice Question

Installing the epel-release RPM that the Fedora project publishes is the method officially recommended by EPEL. The RPM drops an /etc/yum.repos.d/epel.repo file with gpgcheck=1 and a gpgkey= line that points to the project's public key, and it also places the key in /etc/pki/rpm-gpg/. Because the RPM itself is signed, dnf verifies the package before installing it, then automatically imports the key when the first EPEL package is installed. After that, the repository remains permanently configured and can be used in any future dnf transaction without further edits.

The other choices violate at least one policy objective:

• Creating the repo by hand and setting gpgcheck=0 disables signature verification.
• Using dnf --nogpgcheck either for the htop install or for the repository-release RPM turns off signature checking entirely.
• Adding the repository with dnf config-manager but installing packages with --nogpgcheck likewise bypasses GPG validation.

Therefore, installing the signed epel-release RPM directly from the Fedora mirror without the --nogpgcheck flag is the only option that keeps GPG enforcement intact and leaves the repository correctly configured for later use.