1.2.1.1 Ensure GPG keys are configured
Audit#
Verify GPG keys are configured correctly for your package manager:
Note: - apt-key list is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). - With the deprecation of apt-key it is recommended to use the Signed-By option in sources.list to require a repository to pass apt-secure(8) verification with a certain set of keys rather than all trusted keys apt has configured.
- OR - 1. Run the following script and verify GPG keys are configured correctly for your package manager:
#! /usr/bin/env bash
{
for file in /etc/apt/trusted.gpg.d/*.{gpg,asc} /etc/apt/sources.list.d/*.{gpg,asc} ; do
if [ -f "$file" ]; then
echo -e "File: $file"
gpg --list-packets "$file" 2>/dev/null | awk '/keyid/ && !seen[$NF]++ {print "keyid:", $NF}'
gpg --list-packets "$file" 2>/dev/null | awk '/Signed-By:/ {print "signed-by:", $NF}'
echo -e
fi
done
}
- REVIEW and VERIFY to ensure that GPG keys are configured correctly for your package manager IAW site policy.
Remediation#
Update your package manager GPG keys in accordance with site policy.