STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

V-269164

CAT I (High)

AlmaLinux OS 9 must ensure cryptographic verification of vendor software packages.

Rule ID

SV-269164r1050046_rule

STIG

Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

Version

V1R6

CCIs

CCI-003992

Discussion

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are not allowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved certificate authority (CA).

Check Content

Confirm AlmaLinux and TuxCare package-signing keys are installed on the system and verify their fingerprints match vendor values.

The keys are stored as "RPM-GPG-KEY-AlmaLinux-9" and "RPM-GPG-KEY-TuxCare" inside the "/etc/pki/rpm-gpg/" directory.

List GPG keys installed on the system using the following command:

$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey

TuxCare (Software Signing Key) <packager@tuxcare.com> public key
AlmaLinux OS 9 <packager@almalinux.org> public key

If the AlmaLinux and TuxCare GPG keys are not installed, this is a finding.

List key fingerprints of installed GPG keys using the following commands:

$ gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9 

pub   rsa4096/B86B3716 2022-01-18 [SC]
      Key fingerprint = BF18 AC28 7617 8908 D6E7  1267 D36C B86C B86B 3716
uid                   AlmaLinux OS 9 <packager@almalinux.org>
sub   rsa4096/C9BA6CAA 2022-01-18 [E]

$ gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-TuxCare

pub   rsa4096/8D50EB66 2023-03-06 [SC]
      Key fingerprint = FAD7 8590 81D0 738B 7A82  8496 D07B F2A0 8D50 EB66
uid                   TuxCare (Software Signing Key) <packager@tuxcare.com>
sub   rsa4096/A9C70659 2023-03-06 [E]

If either "/etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9" or "/etc/pki/rpm-gpg/RPM-GPG-KEY-TuxCare" key files are missing, this is a finding.

Compare key fingerprints of installed AlmaLinux and TuxCare GPG keys with fingerprints listed at 

https://almalinux.org/security/

https://docs.tuxcare.com/enterprise-support-for-almalinux/#gnupg-keys

If the key fingerprints do not match, this is a finding.

Fix Text

Install AlmaLinux and TuxCare package-signing keys on the system and verify their fingerprints match vendor values.

$ curl https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-9 -o /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9

$ curl https://repo.tuxcare.com/tuxcare/RPM-GPG-KEY-TuxCare -o /etc/pki/rpm-gpg/RPM-GPG-KEY-TuxCare

$ rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-9

$ rpm --import https://repo.tuxcare.com/tuxcare/RPM-GPG-KEY-TuxCare

Using the steps listed in the Check, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values.