The infamous --nogpgcheck

Let’s take an example from the /etc/yum.repos.d/rocky.repo file:

[baseos]
name=Rocky Linux $releasever - BaseOS
mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever$rltype
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=0
countme=1
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

as you can see here gpgcheck=1. You could edit the file and set it to gpgcheck=0, or you can use --nogpgcheck on the command line to override it.

Also, as per: man dnf

      --nogpgcheck
              Skip checking GPG signatures on packages (if RPM policy allows).

The GPG check is there for a reason though, to ensure the packages are downloaded correctly and from a trusted source.