The system must verify that package updates are digitally signed.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-219969 | SRG-OS-000366 | SOL-11.1-020020 | SV-219969r1016281_rule | 2026-02-19 | 3 |
Description
Digitally signed packages ensure that the source of the package can be identified.
ℹ️ Check
Determine what the signature policy is for pkg publishers:
# pkg property | grep signature-policy
Check that output produces:
signature-policy verify
If the output does not confirm that signature-policy verify is active, this is a finding.
✔️ Fix
The Software Installation Profile is required.
Configure the package system to ensure that digital signatures are verified.
# pfexec pkg set-property signature-policy verify