4.12 Ensure all signed artifacts are validated

Information

Validate artifacts signatures before uploading to the package registry.

Rationale:

Cryptographic signature is a tool to verify artifact authenticity. Every artifact is supposed to be signed by its creator in order to verify that it wasn't compromised until it got to the client. Validating artifact signature before delivering it is another level of protection, which checks that the signature hasn't been changed, which means that no one tried or succeeded in tampering with the artifact. That sets trust between the supplier and the client.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Validate every artifact with its signature. It is recommended to do so automatically.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1), CSCv7|2.7

Plugin: Unix

Control ID: 09d0ed08e095ca1253ccdc9f764e7864ccd59a1a4ae0c781c93734984637e5b3