Check
Confirm Red Hat package-signing keys are installed on the system and verify their fingerprints match vendor values.
Note: For Red Hat Enterprise Linux 7 software packages, Red Hat uses GPG keys labeled "release key 2" and "auxiliary key". The keys are defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" by default.
List Red Hat GPG keys installed on the system:
$ sudo rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey | grep -i "red hat"
gpg(Red Hat, Inc. (release key 2) <
[email protected]>)
gpg(Red Hat, Inc. (auxiliary key) <
[email protected]>)
If Red Hat GPG keys "release key 2" and "auxiliary key" are not installed, this is a finding.
List key fingerprints of installed Red Hat GPG keys:
$ sudo gpg -q --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
If key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" is missing, this is a finding.
Example output:
pub 4096R/FD431D51 2009-10-22 Red Hat, Inc. (release key 2) <
[email protected]>
Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51
pub 1024D/2FA658E0 2006-12-01 Red Hat, Inc. (auxiliary key) <
[email protected]>
Key fingerprint = 43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0
Compare key fingerprints of installed Red Hat GPG keys with fingerprints listed on Red Hat "Product Signing Keys" webpage at https://access.redhat.com/security/team/key.
If key fingerprints do not match, this is a finding.