← Rules Catalog
highsystemverified rollback-safe

Enable GPG signature checking for packages

gpgcheck-enabled · RHEL ≥ 8 · 1 impl

Description

The gpgcheck option in /etc/dnf/dnf.conf must be enabled to ensure all packages are verified using GPG signatures before installation.

Rationale

GPG signature verification ensures packages come from trusted sources and have not been tampered with. Without this, malicious packages could be installed on the system.

Check → Remediate

Checkconfig_value
path:
/etc/dnf/dnf.conf
key:
gpgcheck
expected:
1
Remediateconfig_set
path:
/etc/dnf/dnf.conf
key:
gpgcheck
value:
1
separator:
=

Framework references

CIS

rhel8 1.2.1.2rhel9 1.2.1.2rhel10 1.2.1.2

STIG

V-230264V-257819 / RHEL-09-214010V-257820 / RHEL-09-214015V-280932 / RHEL-10-001030

NIST 800-53

CM-11(a)SI-7

Live verification

rhel10:checkrhel8:checkrhel9:check
#packages#gpg#dnf#security