Understanding Repo_GPGcheck

Repo_GPGcheck ensures linux verifies the authenticity of software packages downloaded from repositories, reinforcing overall system security and safeguarding against unauthorized software sources.

What is a Linux repository and a GPG check

A repository in Linux is a storage location where software packages are managed and organized. When installing or updating software, Redhat based Linux systems pull the required packages from these repositories using the YUM (Yellowdog Updater, Modified) package manager.

Activating gpgcheck, ensures that the software packages are signed with a valid GPG key (GNU Privacy Guard). These public keys contain a digital signature that verifies that a package hasn’t been tampered with and comes from a trusted source.

When gpgcheck is set to 1, it instructs yum to check each package's GPG signature before installing it, which helps protect the system from malicious software.

What is repo GPGcheck any why is it important

When using YUM install to add software, Repo_gpgcheck ensures that not only are the individual packages authenticated, but also that the repository metadata's GPG signature is validated. Setting repo_gpgcheck=1 instructs yum to validate that the repository data, such as package lists and headers, is signed with a trusted GPG key. 

This can prevent potential attacks such as CVE-2021-20271 where a compromised repository is used to distribute unverified metadata and malicious packages. Attacks such as this can lead to RPM database corruption and execute code leaving confidential data vulnerable.  

Doing a repo gpgcheck on the repository itself not only verifies the packages themselves but also ensures the repository metadata's integrity, reinforcing overall system security and safeguarding against unauthorized software sources.

How to activate repo_gpgcheck per repository

To activate repo_gpgcheck on a single repository, first check that the particular repository support GPG checking on the repodata. Edit any failing files in /etc/yum.repos.d/* and set all instances starting with repo_gpgcheck to 1.

How to activate repo_gpgcheck globally

To activate repo_gpgcheck globally, edit /etc/dnf/dnf.conf and set repo_gpgcheck=1 in the [main] section.

Example:

[main]

repo_gpgcheck=1

Repo_gpgcheck compatibility 

Not all repositories, notably, some Red Hat repositories, support repo_gpgcheck. For those repositories lacking this support, it's essential to keep this setting disabled (set to false by default). If repo_gpgcheck is enabled on unsupported repositories, resulting package installations will fail.

When configuring a yum repo in Red Hat or CentOS, it’s often necessary to authenticate packages by importing the GPG key associated with the repository. You can do this using the rpm –import command, which installs the public GPG key to verify the integrity of packages and metadata in the repository.

For unsupported repositories it is important to review which repositories are active on the system and verify which ones support repo_gpgcheck. This will help avoid conflicts and maintain smooth package management.

MITRE ATT&CK Mappings

Techniques / Subtechniques – T1195, T1195.001

Tactics – TA0005

Mitigations 

The importance of server hardening 

Correctly setting repo_gpgcheck is essential for Linux system security and functionality, as it ensures only trusted repository metadata is used, preventing potential tampering or unauthorized access. 

Preventing potential tampering and unauthorized access is crucial for maintaining the integrity and security of server environments, as these risks can lead to compromised data, malware, or other cyber threats. This practice is a core component of server hardening, which aims to reinforce defenses, reduce vulnerabilities, and protect against attacks that exploit weak system configurations.