On 03/02/2021 21:50, Ramin Doe wrote: > It's not entirely clear to me what the CIS guideline was expecting me to > do. It says: > > Verify GPG keys are configured correctly for your package manager: > # apt-key list > > Perhaps they want me to install apt-key, and use it to look at the gpg > keys installed on my system, and then somehow verify that they aren't > compromised? Does that sound like I'm understanding them correctly?
apt-key is considered deprecated (check the man: apt-key(8)). However, what this command does is show you the list of keys trusted for package installation. I guess it's to make sure you have only legit keys there - but I didn't read those guidelines, so I can't be completely sure :) Cheers, -- nodens
