mediumsystemverified ✓
Ensure Red Hat package-signing keys are installed
redhat-gpg-keys-installed · RHEL ≥ 8 · 1 impl
Description
RHEL 8 must have the Red Hat GPG package-signing keys installed so that the package manager can cryptographically verify vendor software before installation.
Rationale
Verifying package signatures against the vendor keys ensures only authentic, unmodified Red Hat packages are installed, protecting the software supply chain.
Check → Remediate
Checkcommand
rpm -q --queryformat '%{SUMMARY}\n' gpg-pubkey 2>/dev/null |
grep -qi 'Red Hat.*release key'
- expected_exit:
- 0
Remediatemanual
- note:
- Install the Red Hat package-signing keys from trusted media. Import with: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release then verify the fingerprints match the published vendor values.
Framework references
CIS
rhel9 1.2.1.1rhel8 1.2.1.1rhel10 1.2.1.1
STIG
V-280931 / RHEL-10-001020V-256973 / RHEL-08-010019
NIST 800-53
CM-5(3)SI-7
Live verification
rhel8:checkrhel9:check
#gpg#package-signing#supply-chain#integrity