Securing the Distribution of Oracle Linux Packages
Oracle Linux yum servers are configured to use HTTPS so that all communications are validated, verified, and encrypted during package download.
Oracle Linux packages are signed by using Gnu Privacy Guard (GnuPG or GPG) key pairs. You can check package veracity by using the public keys that we provide to authenticate that the packages come from Oracle and that they haven't been altered since they were signed.
The system's repository files for Oracle Linux packages are normally set
up with GPG parameters so that GPG verification is completed automatically as part of the
download process. For example, the following entry in
/etc/yum.repos.d/oracle-linux-ol9.repo is configured to automatically
use the appropriate GPG key to verify the package during download:
[ol9_baseos_latest]
name=Oracle Linux 9 BaseOS Latest ($basearch)
baseurl=https://yum$ociregion.$ocidomain/repo/OracleLinux/OL9/baseos/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1
...Where:
-
gpgkey: specifies the full path of the key that's provided by the repository maintainer. -
gpgcheck=1: the default1setting indicates that package installation automatically uses the GPG key to verify the packages to be installed are trusted packages. Always ensure thatgpgcheck=1is the persistent setting.
The public keys that Oracle generates for Oracle Linux packages are available on the Oracle Linux
yum server and are included when the packages are installed on the system. The public GPG key
is installed automatically when you install the oraclelinux-release
package.
Note:
Developer Preview packages might be signed using a dedicated development GPG key. The development GPG key isn't installed on Oracle Linux systems by default, so you might need to install the key and manually verify such packages.
For more information, and download links for other Oracle Linux release keys and checksum files, see https://linux.oracle.com/security/gpg/