diff --git a/internal/cloudapi/v2/errors.go b/internal/cloudapi/v2/errors.go
index 238b84728..3a0285811 100644
--- a/internal/cloudapi/v2/errors.go
+++ b/internal/cloudapi/v2/errors.go
@@ -42,6 +42,7 @@ const (
 	ErrorInvalidJobType               ServiceErrorCode = 26
 	ErrorInvalidOSTreeParams          ServiceErrorCode = 27
 	ErrorTenantNotFound               ServiceErrorCode = 28
+	ErrorNoGPGKey                     ServiceErrorCode = 29
 
 	// Internal errors, these are bugs
 	ErrorFailedToInitializeBlueprint              ServiceErrorCode = 1000
@@ -107,6 +108,7 @@ func getServiceErrors() serviceErrors {
 		serviceError{ErrorInvalidNumberOfImageBuilds, http.StatusBadRequest, "Compose request has unsupported number of image builds"},
 		serviceError{ErrorInvalidOSTreeParams, http.StatusBadRequest, "Invalid OSTree parameters or parameter combination"},
 		serviceError{ErrorTenantNotFound, http.StatusBadRequest, "Tenant not found in JWT claims"},
+		serviceError{ErrorNoGPGKey, http.StatusBadRequest, "Invalid repository, when check_gpg is set, gpgkey must be specified"},
 
 		serviceError{ErrorFailedToInitializeBlueprint, http.StatusInternalServerError, "Failed to initialize blueprint"},
 		serviceError{ErrorFailedToGenerateManifestSeed, http.StatusInternalServerError, "Failed to generate manifest seed"},
diff --git a/internal/cloudapi/v2/v2.go b/internal/cloudapi/v2/v2.go
index 2ea842d87..70ab6da5a 100644
--- a/internal/cloudapi/v2/v2.go
+++ b/internal/cloudapi/v2/v2.go
@@ -1272,5 +1272,9 @@ func genRepoConfig(repo Repository) (*rpmmd.RepoConfig, error) {
 		repoConfig.IgnoreSSL = *repo.IgnoreSsl
 	}
 
+	if repoConfig.CheckGPG && repoConfig.GPGKey == "" {
+		return nil, HTTPError(ErrorNoGPGKey)
+	}
+
 	return repoConfig, nil
 }
diff --git a/internal/cloudapi/v2/v2_internal_test.go b/internal/cloudapi/v2/v2_internal_test.go
index 8405d5eb7..ea8731c2c 100644
--- a/internal/cloudapi/v2/v2_internal_test.go
+++ b/internal/cloudapi/v2/v2_internal_test.go
@@ -230,17 +230,44 @@ func TestRepoConfigConversion(t *testing.T) {
 		assert.Equal(rc, &tc.repoConfig, "mismatch in test case %d", idx)
 	}
 
-	// test error
-	noURL := Repository{
-		Baseurl:     nil,
-		CheckGpg:    nil,
-		Gpgkey:      nil,
-		IgnoreSsl:   nil,
-		Metalink:    nil,
-		Mirrorlist:  nil,
-		Rhsm:        true,
-		PackageSets: nil,
+	errorTestCases := []struct {
+		repo Repository
+		err  string
+	}{
+		// invalid repo
+		{
+			repo: Repository{
+				Baseurl:     nil,
+				CheckGpg:    nil,
+				Gpgkey:      nil,
+				IgnoreSsl:   nil,
+				Metalink:    nil,
+				Mirrorlist:  nil,
+				Rhsm:        true,
+				PackageSets: nil,
+			},
+			err: HTTPError(ErrorInvalidRepository).Error(),
+		},
+
+		// check gpg required but no gpgkey given
+		{
+			repo: Repository{
+				Baseurl:     nil,
+				CheckGpg:    common.BoolToPtr(true),
+				Gpgkey:      nil,
+				IgnoreSsl:   common.BoolToPtr(true),
+				Metalink:    common.StringToPtr("http://example.org/metalink"),
+				Mirrorlist:  nil,
+				Rhsm:        true,
+				PackageSets: nil,
+			},
+			err: HTTPError(ErrorNoGPGKey).Error(),
+		},
+	}
+
+	for _, tc := range errorTestCases {
+		rc, err := genRepoConfig(tc.repo)
+		assert.Nil(rc)
+		assert.EqualError(err, tc.err)
 	}
-	_, err := genRepoConfig(noURL)
-	assert.EqualError(err, HTTPError(ErrorInvalidRepository).Error())
 }