Check Nogpgcheck

Description

GPG signature checking is a security feature that verifies the authenticity and integrity of packages before they are installed on a system. When nogpgcheck is enabled, dnf, tdnf, or yum will not verify the GPG signatures associated with the packages potentially exposing the system to security risks if the packages have been tampered with or are not from trusted sources.

Kyverno policy

Refer to the Nirmata curated policies - check-nogpgcheck.

Resource example

Below are examples of two Dockerfiles enforcing this policy.

FROM fedora:34

RUN yum -y install wget && \
    yum -y clean all

RUN echo "Hello, World!"

FROM fedora:34

RUN dnf -y install wget && \
    dnf -y clean all

RUN echo "Hello, World!"