RPM repo data is not signed and documentation misses repo_gpgcheck
The torproject RPM repos do not provide signed repomd.xml files (repomd.xml.asc) this would allow attacker to 'hide' updates [1].
From the yum.conf manpage [2]
//repo_gpgcheck Either '1' or '0'. This tells yum whether or not it should perform a GPG signature check on the repodata. When this is set in the [main] section it sets the default for all repositories. The default is '0'.//
Once you provide repomd.xml.asc files please update [3].
[1] https://lwn.net/Articles/327847/ [2] http://linux.die.net/man/5/yum.conf [3] https://www.torproject.org/docs/rpms.html.en