{"description": "The operation system or installed application can be successfully bootstrapped\nwithout the GPG key being trusted. However, you cannot install new packages or\nupdate them until the keys are trusted.\n<br /><br />\nMost packages managers implement GPG key signing to verify package integrity\nduring installation.\n<br /><br />\nTo verify GPG keys are configured correctly for your package manager,\none of the following command groups may provide the needed information\ndepending on the package manager in use.\n<br /><br />\nIn SUSE Linux distributions, the administrators have to follow the next steps: <br />\n1. Log on to the system as a user with administrator rights.<br />\n2. Locate and download package, for example zoom_x86_64.rpm<br />\n3. Locate and download the public key (GPG) from the software download site, for\nexample the key for zoom package is package-signing-key-5-12-6.pub<br />\n4. Import the key public key:<br />\n<tt>$ sudo rpm --import package-signing-key-5-12-6.pub</tt><br />\n5. List the keys, for example the command:<br />\n<tt>$ sudo rpm -qa gpg-pubkey*</tt><br />\nwill provide:<br />\n<tt>gpg-pubkey-dd79b481-62fe7502</tt><br />\n6. Get more details about the key, via the command:<br />\n<tt>$ sudo rpm -qa gpg-pubkey-dd79b481-62fe7502</tt><br />\n7. Check the GPG key, for example the command:<br />\n<tt>$ sudo rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --&gt; %{summary}\\n'</tt><br />\nwill provide:<br />\n<tt>gpg-pubkey-dd79b481-62fe7502 --&gt; gpg(Zoom Video Communications, Inc. &lt;CryptoOpsCodeSignProd@zoom.us&gt;)</tt><br />\n<br /><br />", "rationale": "It is important to ensure that updates are obtained from a valid source to protect\nagainst spoofing that could lead to the inadvertent installation of malware on the\nsystem.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "Your package manager GPG keys are not configured in accordance with site policy", "ocil": "To verify GPG keys are configured correctly for your package manager, one of the\nfollowing command groups may provide the needed information depending on the\npackage manager in use.\n\nIn SUSE Linux distributions, the administrators have to follow the next steps: <br />\n1. Log on to the system as a user with administrator rights.<br />\n2. Locate and download package, for example zoom_x86_64.rpm<br />\n3. Locate and download the public key (GPG) from the software download site, for example\nthe key for zoom package is package-signing-key-5-12-6.pub<br />\n4. Import the key public key:<br />\n<tt>set pub_key_import = \"$ sudo rpm --import package-signing-key-5-12-6.pub</tt><br />\n5. List the keys, for example the command:<br />\n<tt>$ sudo rpm -qa gpg-pubkey*</tt><br />\nwill provide:<br />\n<tt>gpg-pubkey-dd79b481-62fe7502</tt><br />\n6. Get more details about the key, via the command:<br />\n<tt>$ sudo rpm -qa gpg-pubkey-dd79b481-62fe7502</tt><br />\n7. Check the GPG key, for example the command:<br />\n<tt>$ sudo rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --&gt; %{summary}\\n'</tt><br />\nwill provide:<br />\n<tt>gpg-pubkey-dd79b481-62fe7502 --&gt; gpg(Zoom Video Communications, Inc. &lt;CryptoOpsCodeSignProd@zoom.us&gt;)</tt><br />\n<br /><br />", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure GPG keys are configured", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/updating/ensure_GPG_keys_are_configured/rule.yml", "template": null}