diff --git a/cmd/gen-manifests/main.go b/cmd/gen-manifests/main.go
index 814ad8c3d..dca6175a5 100644
--- a/cmd/gen-manifests/main.go
+++ b/cmd/gen-manifests/main.go
@@ -187,12 +187,17 @@ func makeManifestJob(name string, imgType distro.ImageType, cr composeRequest, d
 type DistroArchRepoMap map[string]map[string][]repository
 
 func convertRepo(r repository) rpmmd.RepoConfig {
+	var keys []string
+	if r.GPGKey != "" {
+		keys = []string{r.GPGKey}
+	}
+
 	return rpmmd.RepoConfig{
 		Name:           r.Name,
 		BaseURL:        r.BaseURL,
 		Metalink:       r.Metalink,
 		MirrorList:     r.MirrorList,
-		GPGKey:         r.GPGKey,
+		GPGKeys:        keys,
 		CheckGPG:       r.CheckGPG,
 		MetadataExpire: r.MetadataExpire,
 		ImageTypeTags:  r.ImageTypeTags,
diff --git a/cmd/osbuild-pipeline/main.go b/cmd/osbuild-pipeline/main.go
index e63000704..e0adcdcdc 100644
--- a/cmd/osbuild-pipeline/main.go
+++ b/cmd/osbuild-pipeline/main.go
@@ -140,12 +140,18 @@ func main() {
 		if repoName == "" {
 			repoName = fmt.Sprintf("repo-%d", i)
 		}
+
+		var keys []string
+		if repo.GPGKey != "" {
+			keys = []string{repo.GPGKey}
+		}
+
 		repos[i] = rpmmd.RepoConfig{
 			Name:        repoName,
 			BaseURL:     repo.BaseURL,
 			Metalink:    repo.Metalink,
 			MirrorList:  repo.MirrorList,
-			GPGKey:      repo.GPGKey,
+			GPGKeys:     keys,
 			CheckGPG:    repo.CheckGPG,
 			PackageSets: repo.PackageSets,
 		}
diff --git a/internal/cloudapi/v2/handler.go b/internal/cloudapi/v2/handler.go
index 6208f45f2..c6b6e58cf 100644
--- a/internal/cloudapi/v2/handler.go
+++ b/internal/cloudapi/v2/handler.go
@@ -1255,14 +1255,14 @@ func genRepoConfig(repo Repository) (*rpmmd.RepoConfig, error) {
 	if repo.CheckGpg != nil {
 		repoConfig.CheckGPG = *repo.CheckGpg
 	}
-	if repo.Gpgkey != nil {
-		repoConfig.GPGKey = *repo.Gpgkey
+	if repo.Gpgkey != nil && *repo.Gpgkey != "" {
+		repoConfig.GPGKeys = []string{*repo.Gpgkey}
 	}
 	if repo.IgnoreSsl != nil {
 		repoConfig.IgnoreSSL = *repo.IgnoreSsl
 	}
 
-	if repoConfig.CheckGPG && repoConfig.GPGKey == "" {
+	if repoConfig.CheckGPG && len(repoConfig.GPGKeys) == 0 {
 		return nil, HTTPError(ErrorNoGPGKey)
 	}
 
diff --git a/internal/cloudapi/v2/v2_internal_test.go b/internal/cloudapi/v2/v2_internal_test.go
index 0b600c439..e18280c9a 100644
--- a/internal/cloudapi/v2/v2_internal_test.go
+++ b/internal/cloudapi/v2/v2_internal_test.go
@@ -107,7 +107,7 @@ func TestRepoConfigConversion(t *testing.T) {
 				BaseURL:        "http://base.url",
 				Metalink:       "",
 				MirrorList:     "",
-				GPGKey:         "some-kind-of-key",
+				GPGKeys:        []string{"some-kind-of-key"},
 				CheckGPG:       true,
 				IgnoreSSL:      false,
 				MetadataExpire: "",
@@ -131,7 +131,6 @@ func TestRepoConfigConversion(t *testing.T) {
 				BaseURL:        "http://base.url",
 				Metalink:       "", // since BaseURL is specified, MetaLink is not copied
 				MirrorList:     "", // since BaseURL is specified, MirrorList is not copied
-				GPGKey:         "",
 				CheckGPG:       false,
 				IgnoreSSL:      true,
 				MetadataExpire: "",
@@ -155,7 +154,6 @@ func TestRepoConfigConversion(t *testing.T) {
 				BaseURL:        "",
 				Metalink:       "", // since MirrorList is specified, MetaLink is not copied
 				MirrorList:     "http://example.org/mirrorlist",
-				GPGKey:         "",
 				CheckGPG:       false,
 				IgnoreSSL:      true,
 				MetadataExpire: "",
@@ -179,7 +177,6 @@ func TestRepoConfigConversion(t *testing.T) {
 				BaseURL:        "",
 				Metalink:       "http://example.org/metalink",
 				MirrorList:     "",
-				GPGKey:         "",
 				CheckGPG:       false,
 				IgnoreSSL:      true,
 				MetadataExpire: "",
diff --git a/internal/distro/distro_test_common/distro_test_common.go b/internal/distro/distro_test_common/distro_test_common.go
index 042edca61..2941d81e7 100644
--- a/internal/distro/distro_test_common/distro_test_common.go
+++ b/internal/distro/distro_test_common/distro_test_common.go
@@ -61,12 +61,17 @@ func TestDistro_Manifest(t *testing.T, pipelinePath string, prefix string, regis
 
 		repos := make([]rpmmd.RepoConfig, len(tt.ComposeRequest.Repositories))
 		for i, repo := range tt.ComposeRequest.Repositories {
+			var keys []string
+			if repo.GPGKey != "" {
+				keys = []string{repo.GPGKey}
+			}
+
 			repos[i] = rpmmd.RepoConfig{
 				Name:       fmt.Sprintf("repo-%d", i),
 				BaseURL:    repo.BaseURL,
 				Metalink:   repo.Metalink,
 				MirrorList: repo.MirrorList,
-				GPGKey:     repo.GPGKey,
+				GPGKeys:    keys,
 				CheckGPG:   repo.CheckGPG,
 			}
 		}
diff --git a/internal/dnfjson/dnfjson.go b/internal/dnfjson/dnfjson.go
index fb9bfedda..5a6e9b90b 100644
--- a/internal/dnfjson/dnfjson.go
+++ b/internal/dnfjson/dnfjson.go
@@ -247,7 +247,7 @@ func (s *Solver) reposFromRPMMD(rpmRepos []rpmmd.RepoConfig) ([]repoConfig, erro
 			BaseURL:        rr.BaseURL,
 			Metalink:       rr.Metalink,
 			MirrorList:     rr.MirrorList,
-			GPGKey:         rr.GPGKey,
+			GPGKeys:        rr.GPGKeys,
 			IgnoreSSL:      rr.IgnoreSSL,
 			MetadataExpire: rr.MetadataExpire,
 		}
@@ -271,17 +271,17 @@ func (s *Solver) reposFromRPMMD(rpmRepos []rpmmd.RepoConfig) ([]repoConfig, erro
 // Repository configuration for resolving dependencies for a set of packages. A
 // Solver needs at least one RPM repository configured to be able to depsolve.
 type repoConfig struct {
-	ID             string `json:"id"`
-	Name           string `json:"name,omitempty"`
-	BaseURL        string `json:"baseurl,omitempty"`
-	Metalink       string `json:"metalink,omitempty"`
-	MirrorList     string `json:"mirrorlist,omitempty"`
-	GPGKey         string `json:"gpgkey,omitempty"`
-	IgnoreSSL      bool   `json:"ignoressl"`
-	SSLCACert      string `json:"sslcacert,omitempty"`
-	SSLClientKey   string `json:"sslclientkey,omitempty"`
-	SSLClientCert  string `json:"sslclientcert,omitempty"`
-	MetadataExpire string `json:"metadata_expire,omitempty"`
+	ID             string   `json:"id"`
+	Name           string   `json:"name,omitempty"`
+	BaseURL        string   `json:"baseurl,omitempty"`
+	Metalink       string   `json:"metalink,omitempty"`
+	MirrorList     string   `json:"mirrorlist,omitempty"`
+	GPGKeys        []string `json:"gpgkeys,omitempty"`
+	IgnoreSSL      bool     `json:"ignoressl"`
+	SSLCACert      string   `json:"sslcacert,omitempty"`
+	SSLClientKey   string   `json:"sslclientkey,omitempty"`
+	SSLClientCert  string   `json:"sslclientcert,omitempty"`
+	MetadataExpire string   `json:"metadata_expire,omitempty"`
 }
 
 // Hash calculates an ID string that uniquely represents a repository
@@ -292,7 +292,15 @@ func (r *repoConfig) Hash() string {
 	bts := func(b bool) string {
 		return fmt.Sprintf("%T", b)
 	}
-	return fmt.Sprintf("%x", sha256.Sum256([]byte(r.BaseURL+r.Metalink+r.MirrorList+r.GPGKey+bts(r.IgnoreSSL)+r.MetadataExpire)))
+	ats := func(s []string) string {
+		return strings.Join(s, "")
+	}
+	return fmt.Sprintf("%x", sha256.Sum256([]byte(r.BaseURL+
+		r.Metalink+
+		r.MirrorList+
+		ats(r.GPGKeys)+
+		bts(r.IgnoreSSL)+
+		r.MetadataExpire)))
 }
 
 // Helper function for creating a depsolve request payload.
diff --git a/internal/osbuild/rpm_stage.go b/internal/osbuild/rpm_stage.go
index 7fbe138cd..ade1dea08 100644
--- a/internal/osbuild/rpm_stage.go
+++ b/internal/osbuild/rpm_stage.go
@@ -143,10 +143,10 @@ func pkgRefs(specs []rpmmd.PackageSpec) FilesInputRef {
 func NewRPMStageOptions(repos []rpmmd.RepoConfig) *RPMStageOptions {
 	var gpgKeys []string
 	for _, repo := range repos {
-		if repo.GPGKey == "" {
+		if len(repo.GPGKeys) == 0 {
 			continue
 		}
-		gpgKeys = append(gpgKeys, repo.GPGKey)
+		gpgKeys = append(gpgKeys, repo.GPGKeys...)
 	}
 
 	return &RPMStageOptions{
diff --git a/internal/rpmmd/repository.go b/internal/rpmmd/repository.go
index 6292e3821..5fc7ca470 100644
--- a/internal/rpmmd/repository.go
+++ b/internal/rpmmd/repository.go
@@ -33,8 +33,9 @@ type RepoConfig struct {
 	BaseURL        string
 	Metalink       string
 	MirrorList     string
-	GPGKey         string
+	GPGKeys        []string
 	CheckGPG       bool
+	CheckRepoGPG   bool
 	IgnoreSSL      bool
 	MetadataExpire string
 	RHSM           bool
@@ -49,7 +50,18 @@ func (r *RepoConfig) Hash() string {
 	bts := func(b bool) string {
 		return fmt.Sprintf("%T", b)
 	}
-	return fmt.Sprintf("%x", sha256.Sum256([]byte(r.BaseURL+r.Metalink+r.MirrorList+r.GPGKey+bts(r.CheckGPG)+bts(r.IgnoreSSL)+r.MetadataExpire+bts(r.RHSM))))
+	ats := func(s []string) string {
+		return strings.Join(s, "")
+	}
+	return fmt.Sprintf("%x", sha256.Sum256([]byte(r.BaseURL+
+		r.Metalink+
+		r.MirrorList+
+		ats(r.GPGKeys)+
+		bts(r.CheckGPG)+
+		bts(r.CheckRepoGPG)+
+		bts(r.IgnoreSSL)+
+		r.MetadataExpire+
+		bts(r.RHSM))))
 }
 
 type DistrosRepoConfigs map[string]map[string][]RepoConfig
@@ -212,12 +224,17 @@ func loadRepositoriesFromFile(filename string) (map[string][]RepoConfig, error)
 
 	for arch, repos := range reposMap {
 		for _, repo := range repos {
+			var keys []string
+			if repo.GPGKey != "" {
+				keys = []string{repo.GPGKey}
+			}
+
 			config := RepoConfig{
 				Name:           repo.Name,
 				BaseURL:        repo.BaseURL,
 				Metalink:       repo.Metalink,
 				MirrorList:     repo.MirrorList,
-				GPGKey:         repo.GPGKey,
+				GPGKeys:        keys,
 				CheckGPG:       repo.CheckGPG,
 				RHSM:           repo.RHSM,
 				MetadataExpire: repo.MetadataExpire,
diff --git a/internal/store/json.go b/internal/store/json.go
index 844c1942e..3ee4a86da 100644
--- a/internal/store/json.go
+++ b/internal/store/json.go
@@ -58,14 +58,16 @@ type imageBuildV0 struct {
 }
 
 type sourceV0 struct {
-	Name     string   `json:"name"`
-	Type     string   `json:"type"`
-	URL      string   `json:"url"`
-	CheckGPG bool     `json:"check_gpg"`
-	CheckSSL bool     `json:"check_ssl"`
-	System   bool     `json:"system"`
-	Distros  []string `json:"distros"`
-	RHSM     bool     `json:"rhsm"`
+	Name         string   `json:"name"`
+	Type         string   `json:"type"`
+	URL          string   `json:"url"`
+	CheckGPG     bool     `json:"check_gpg"`
+	CheckSSL     bool     `json:"check_ssl"`
+	System       bool     `json:"system"`
+	Distros      []string `json:"distros"`
+	RHSM         bool     `json:"rhsm"`
+	CheckRepoGPG bool     `json:"check_repogpg"`
+	GPGKeys      []string `json:"gpgkeys"`
 }
 
 type sourcesV0 map[string]sourceV0
diff --git a/internal/store/store.go b/internal/store/store.go
index 71158e5b8..d3523d2c8 100644
--- a/internal/store/store.go
+++ b/internal/store/store.go
@@ -54,14 +54,16 @@ type Store struct {
 }
 
 type SourceConfig struct {
-	Name     string   `json:"name" toml:"name"`
-	Type     string   `json:"type" toml:"type"`
-	URL      string   `json:"url" toml:"url"`
-	CheckGPG bool     `json:"check_gpg" toml:"check_gpg"`
-	CheckSSL bool     `json:"check_ssl" toml:"check_ssl"`
-	System   bool     `json:"system" toml:"system"`
-	Distros  []string `json:"distros" toml:"distros"`
-	RHSM     bool     `json:"rhsm" toml:"rhsm"`
+	Name         string   `json:"name" toml:"name"`
+	Type         string   `json:"type" toml:"type"`
+	URL          string   `json:"url" toml:"url"`
+	CheckGPG     bool     `json:"check_gpg" toml:"check_gpg"`
+	CheckSSL     bool     `json:"check_ssl" toml:"check_ssl"`
+	System       bool     `json:"system" toml:"system"`
+	Distros      []string `json:"distros" toml:"distros"`
+	RHSM         bool     `json:"rhsm" toml:"rhsm"`
+	CheckRepoGPG bool     `json:"check_repogpg" toml:"check_repogpg"`
+	GPGKeys      []string `json:"gpgkeys"`
 }
 
 type NotFoundError struct {
@@ -578,11 +580,13 @@ func (s *Store) GetAllDistroSources(distro string) map[string]SourceConfig {
 
 func NewSourceConfig(repo rpmmd.RepoConfig, system bool) SourceConfig {
 	sc := SourceConfig{
-		Name:     repo.Name,
-		CheckGPG: repo.CheckGPG,
-		CheckSSL: !repo.IgnoreSSL,
-		System:   system,
-		RHSM:     repo.RHSM,
+		Name:         repo.Name,
+		CheckGPG:     repo.CheckGPG,
+		CheckSSL:     !repo.IgnoreSSL,
+		System:       system,
+		RHSM:         repo.RHSM,
+		CheckRepoGPG: repo.CheckRepoGPG,
+		GPGKeys:      repo.GPGKeys,
 	}
 
 	if repo.BaseURL != "" {
@@ -606,6 +610,8 @@ func (s *SourceConfig) RepoConfig(name string) rpmmd.RepoConfig {
 	repo.IgnoreSSL = !s.CheckSSL
 	repo.CheckGPG = s.CheckGPG
 	repo.RHSM = s.RHSM
+	repo.CheckRepoGPG = s.CheckRepoGPG
+	repo.GPGKeys = s.GPGKeys
 
 	if s.Type == "yum-baseurl" {
 		repo.BaseURL = s.URL
diff --git a/internal/store/store_test.go b/internal/store/store_test.go
index 16f9e30a6..fd94e657d 100644
--- a/internal/store/store_test.go
+++ b/internal/store/store_test.go
@@ -451,7 +451,7 @@ func (suite *storeTest) TestNewSourceConfigWithMirrorList() {
 }
 
 func (suite *storeTest) TestRepoConfigBaseURL() {
-	expectedRepo := rpmmd.RepoConfig{Name: "testSourceConfig", BaseURL: "testURL", Metalink: "", MirrorList: "", GPGKey: "", IgnoreSSL: true, MetadataExpire: ""}
+	expectedRepo := rpmmd.RepoConfig{Name: "testSourceConfig", BaseURL: "testURL", Metalink: "", MirrorList: "", IgnoreSSL: true, MetadataExpire: ""}
 	suite.mySourceConfig.Type = "yum-baseurl"
 	suite.mySourceConfig.URL = "testURL"
 	actualRepo := suite.mySourceConfig.RepoConfig("testSourceConfig")
@@ -459,7 +459,7 @@ func (suite *storeTest) TestRepoConfigBaseURL() {
 }
 
 func (suite *storeTest) TestRepoConfigMetalink() {
-	expectedRepo := rpmmd.RepoConfig{Name: "testSourceConfig", BaseURL: "", Metalink: "testURL", MirrorList: "", GPGKey: "", IgnoreSSL: true, MetadataExpire: ""}
+	expectedRepo := rpmmd.RepoConfig{Name: "testSourceConfig", BaseURL: "", Metalink: "testURL", MirrorList: "", IgnoreSSL: true, MetadataExpire: ""}
 	suite.mySourceConfig.Type = "yum-metalink"
 	suite.mySourceConfig.URL = "testURL"
 	actualRepo := suite.mySourceConfig.RepoConfig("testSourceConfig")
@@ -467,7 +467,7 @@ func (suite *storeTest) TestRepoConfigMetalink() {
 }
 
 func (suite *storeTest) TestRepoConfigMirrorlist() {
-	expectedRepo := rpmmd.RepoConfig{Name: "testSourceConfig", BaseURL: "", Metalink: "", MirrorList: "testURL", GPGKey: "", IgnoreSSL: true, MetadataExpire: ""}
+	expectedRepo := rpmmd.RepoConfig{Name: "testSourceConfig", BaseURL: "", Metalink: "", MirrorList: "testURL", IgnoreSSL: true, MetadataExpire: ""}
 	suite.mySourceConfig.Type = "yum-mirrorlist"
 	suite.mySourceConfig.URL = "testURL"
 	actualRepo := suite.mySourceConfig.RepoConfig("testSourceConfig")
diff --git a/internal/weldr/json.go b/internal/weldr/json.go
index 5029f37d1..c7149b400 100644
--- a/internal/weldr/json.go
+++ b/internal/weldr/json.go
@@ -193,23 +193,26 @@ func NewSourceConfigV1(id string, s store.SourceConfig) SourceConfigV1 {
 	sc.System = s.System
 	sc.Distros = s.Distros
 	sc.RHSM = s.RHSM
+	sc.CheckRepoGPG = s.CheckRepoGPG
+	sc.GPGKeys = s.GPGKeys
 
 	return sc
 }
 
 // SourceConfigV1 holds the source repository information
 type SourceConfigV1 struct {
-	ID       string   `json:"id" toml:"id"`
-	Name     string   `json:"name" toml:"name"`
-	Type     string   `json:"type" toml:"type"`
-	URL      string   `json:"url" toml:"url"`
-	CheckGPG bool     `json:"check_gpg" toml:"check_gpg"`
-	CheckSSL bool     `json:"check_ssl" toml:"check_ssl"`
-	System   bool     `json:"system" toml:"system"`
-	Proxy    string   `json:"proxy,omitempty" toml:"proxy,omitempty"`
-	GPGKeys  []string `json:"gpgkeys,omitempty" toml:"gpgkeys,omitempty"`
-	Distros  []string `json:"distros,omitempty" toml:"distros,omitempty"`
-	RHSM     bool     `json:"rhsm" toml:"rhsm"`
+	ID           string   `json:"id" toml:"id"`
+	Name         string   `json:"name" toml:"name"`
+	Type         string   `json:"type" toml:"type"`
+	URL          string   `json:"url" toml:"url"`
+	CheckGPG     bool     `json:"check_gpg" toml:"check_gpg"`
+	CheckSSL     bool     `json:"check_ssl" toml:"check_ssl"`
+	System       bool     `json:"system" toml:"system"`
+	Proxy        string   `json:"proxy,omitempty" toml:"proxy,omitempty"`
+	GPGKeys      []string `json:"gpgkeys,omitempty" toml:"gpgkeys,omitempty"`
+	Distros      []string `json:"distros,omitempty" toml:"distros,omitempty"`
+	RHSM         bool     `json:"rhsm" toml:"rhsm"`
+	CheckRepoGPG bool     `json:"check_repogpg" toml:"check_repogpg"`
 }
 
 // Key returns the key, .ID in this case
@@ -237,6 +240,8 @@ func (s SourceConfigV1) SourceConfig() (ssc store.SourceConfig) {
 	ssc.CheckSSL = s.CheckSSL
 	ssc.Distros = s.Distros
 	ssc.RHSM = s.RHSM
+	ssc.CheckRepoGPG = s.CheckRepoGPG
+	ssc.GPGKeys = s.GPGKeys
 
 	return ssc
 }