Description of problem:
COPR currently signs packages, but not the repository metadata. Without signing the metadata, there's no obvious way to prevent DNF from reading untrusted repository metadata.
This involves adding to the signer to sign the generated repository metadata and having the frontend generate .repo files that include "repo_gpgcheck=1".
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set a copr repo to "repo_gpgcheck=1" in /etc/yum.repos.d repo file
2. dnf --refresh install <package>
DNF complains that there's no repodata signature to verify.
DNF silently verifies that the repodata is properly signed.
As of https://github.com/fedora-copr/copr/commit/28e0109882afbfb52a7eedff0f38973f1cdf3432, repo_gpgcheck is currently always set to "0". If this feature request is implemented, it should be changed to get the value set the same way "gpgcheck" is.