← Rules Catalog
mediumsystemverified

Ensure Red Hat package-signing keys are installed

redhat-gpg-keys-installed · RHEL ≥ 8 · 1 impl

Description

RHEL 8 must have the Red Hat GPG package-signing keys installed so that the package manager can cryptographically verify vendor software before installation.

Rationale

Verifying package signatures against the vendor keys ensures only authentic, unmodified Red Hat packages are installed, protecting the software supply chain.

Check → Remediate

Checkcommand
rpm -q --queryformat '%{SUMMARY}\n' gpg-pubkey 2>/dev/null |
  grep -qi 'Red Hat.*release key'
expected_exit:
0
Remediatemanual
note:
Install the Red Hat package-signing keys from trusted media. Import with: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release then verify the fingerprints match the published vendor values.

Framework references

CIS

rhel9 1.2.1.1rhel8 1.2.1.1rhel10 1.2.1.1

STIG

V-280931 / RHEL-10-001020V-256973 / RHEL-08-010019

NIST 800-53

CM-5(3)SI-7

Live verification

rhel8:checkrhel9:check
#gpg#package-signing#supply-chain#integrity