build-sys: Enable GPG checking for CentOS compose repos

Use gpgcheck=1 and reference the official CentOS GPG key instead of
disabling signature verification. This ensures package integrity during
builds while still using compose repos to avoid version skew.

Assisted-by: OpenCode (Claude Sonnet 4)

Author: cgwalters

contrib/packaging/enable-compose-repos

@@ -14,16 +14,18 @@ case "${ID}" in
 [compose-baseos]
 name=CentOS Stream $releasever Compose BaseOS
 baseurl=https://composes.stream.centos.org/stream-$releasever/production/latest-CentOS-Stream/compose/BaseOS/$basearch/os/
-gpgcheck=0
+gpgcheck=1
 enabled=1
 priority=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
 
 [compose-appstream]
 name=CentOS Stream $releasever Compose AppStream
 baseurl=https://composes.stream.centos.org/stream-$releasever/production/latest-CentOS-Stream/compose/AppStream/$basearch/os/
-gpgcheck=0
+gpgcheck=1
 enabled=1
 priority=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
 EOF
     echo "Enabled CentOS Stream compose repos"
     ;;