An rpm yum client can check the GPG signature of packages in a repository.
See gpgcheck option as described here https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-configuring_yum_and_yum_repositories
One can also specify a URI to the gpgkey to validate the packages. In the case of a remote repository, the repository maintainer may include the public gpgkey file directly on the remote host.
The request validation for Nexus proxy repositories currently returns 404 not found for any requests other than rpm files and repodata/ metadata files, and so configuring the rpm client to try and get the gpgkey at random paths from the proxy repository can fail.
There does not appear to be a naming convention or path convention for these key files.
Example Key files:
Getting these key files through means other than NXRM proxy URLs is challenging for fire-walled environments where the only way out to these remotes is through Nexus - yum clients don't have external access.
Nexus Repository Manager should provide some common facility to allow rpm clients to get gpgkeys to verify package signatures in remote repositories.
As part of this work, consider that hosted YUM repos may also need to support providing clients a GPGkey to validate packages published into Nexus.
Group repositories are a special consideration since the packages served from them potentially come from many different sources.
As a workaround, you can create a RAW proxy repository to the same remote URL as the YUM proxy repository and set gpgkey to point to that URL instead.
Or an administrator can create a single RAW hosted repo to store all remote keys in whatever layout you need and the URL to specific keys can be shared with YUM clients as needed.