mediumsystemverified ✓rollback-safe
Enable GPG checking for local packages
localpkg-gpgcheck-enabled · RHEL ≥ 8 · 1 impl
Description
The localpkg_gpgcheck option should be enabled to verify GPG signatures on locally installed packages (RPM files not from repositories).
Rationale
Verifying local packages ensures that manually installed RPMs are from trusted sources and have not been modified, preventing installation of tampered or malicious packages.
Check → Remediate
Checkconfig_value
- path:
- /etc/dnf/dnf.conf
- key:
- localpkg_gpgcheck
- expected:
- 1
Remediateconfig_set
- path:
- /etc/dnf/dnf.conf
- key:
- localpkg_gpgcheck
- value:
- 1
- separator:
- =
Framework references
STIG
V-230265V-257821V-280933
NIST 800-53
CM-11(a)SI-7
Live verification
rhel10:checkrhel8:checkrhel9:check
#packages#gpg#dnf#local#security