Ensure Fedora GPG Key Installed

An XCCDF Rule

Description

To ensure the system can cryptographically verify base software packages come from Fedora (and to connect to the Fedora Network to receive them), the Fedora GPG key must properly be installed. To install the Fedora GPG key, run one of the commands below, depending on your Fedora vesion:

$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-38-primary

$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-37-primary

Rationale

Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Fedora GPG key is necessary to cryptographically verify packages are from Fedora."

ID: xccdf_org.ssgproject.content_rule_ensure_fedora_gpgkey_installed
Severity: High
References: 11 2 3 9

5.10.4.1

APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02

3.4.8

CCI-001749

164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i)

4.3.4.3.2 4.3.4.3.3 4.3.4.4.4

SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6

A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4

CM-5(3) CM-6(a) SC-12 SC-12(3) SI-7

PR.DS-6 PR.DS-8 PR.IP-1

Req-6.2
Updated: about 1 year ago


if ! rpm -q --quiet "gpg" ; then
    dnf install -y "gpg"
fi

fedora_version=$(grep -oP '[[:digit:]]+' /etc/redhat-release)
function get_release_fingerprint {
    if [ "${fedora_version}" -eq "40" ]; then
        readonly FEDORA_RELEASE_FINGERPRINT="115DF9AEF857853EE8445D0A0727707EA15B79CC"
    elif [ "${fedora_version}" -eq "38" ]; then
        readonly FEDORA_RELEASE_FINGERPRINT="6A51BBABBA3D5467B6171221809A8D7CEB10B464"
    elif [ "${fedora_version}" -eq "37" ]; then
        readonly FEDORA_RELEASE_FINGERPRINT="ACB5EE4E831C74BB7C168D27F55AD3FB5323552A"
    elif [ "${fedora_version}" -eq "39" ]; then
        readonly FEDORA_RELEASE_FINGERPRINT="E8F23996F23218640CB44CBE75CF5AC418B8E74C"
    else
        printf '%s\n' "This Fedora version '$fedora_version' is not supported anymore, please upgrade to a newer version." >&2
        return 1
    fi
}

# Location of the key we would like to import (once it's integrity verified)
readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${fedora_version}-primary"

RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")

function remediate_gpgkey_installed {
    # Return if there was an issue getting the release fingerprint
    get_release_fingerprint || return 1
    # Verify /etc/pki/rpm-gpg directory permissions are safe
    if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]; then
        # If they are safe, try to obtain fingerprints from the key file
        # (to ensure there won't be e.g. CRC error).
        readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "${REDHAT_RELEASE_KEY}" | grep '^fpr' | cut -d ":" -f 10)
        GPG_RESULT=$?
        # No CRC error, safe to proceed
        if [ "${GPG_RESULT}" -eq "0" ]; then
            echo "${GPG_OUT[*]}" | grep -vE "${FEDORA_RELEASE_FINGERPRINT}" || {
            # If file doesn't contain any keys with unknown fingerprint, import it
            rpm --import "${REDHAT_RELEASE_KEY}"
            }
        fi
    fi
}

remediate_gpgkey_installed

Ensure Fedora GPG Key Installed

Description

Rationale

Remediation - Shell Script