CME-406

Signed Package Enforcement (GPG)

Harden OS/Kernel High Confidence

Description

Rejects installation of unsigned or tampered RPM/DEB packages by validating GPG signatures against trusted keys. Prevents supply chain attacks via package repositories.

CVSS Vector Impacts

Metric Transition Rationale
Integrity (I) H L Cannot install tampered packages; cryptographic verification enforced

CWE Relationships

CWE-345 CWE-494

Verification

Verify gpgcheck enabled for all repos

$ grep -r 'gpgcheck' /etc/yum.repos.d/ | grep -v 'gpgcheck=1'
Platform: rhel
$ rpm -qa gpg-pubkey
# Expected: gpg-pubkey
Platform: rhel
← CME-405: DNSSEC Validation CME-407: Data-at-Rest Encryption (LUKS/dm-crypt) →