Disabled GPG Signature Verification
Ansible dnf tasks are configured with disable_gpg_check: true to bypass package signature validation, allowing installation of unsigned or tampered packages that could contain malicious code or backdoors.
Remote code execution due to disabled GPG verification in Ansible dnf task
Critical Risk
infrastructure-security
ansiblednfpackage-managementgpg-verificationremote-code-executionsupply-chain-attacksignature-bypass
What it is
Ansible dnf tasks configured with disable_gpg_check: true bypass GPG signature verification, allowing installation of tampered, unsigned, or malicious packages. This creates a critical supply chain attack vector where malicious actors can inject compromised packages that execute arbitrary code during installation or runtime, leading to complete system compromise, data exfiltration, and persistent attacker control over target systems.
# VULNERABLE: Ansible dnf tasks with disabled GPG verification
- name: Install packages without verification
hosts: all
tasks:
# VULNERABLE: Disable GPG checks for single package
- name: Install package without verification
ansible.builtin.dnf:
name: custom-package
state: present
disable_gpg_check: yes # VULNERABLE: Bypasses signature verification
# VULNERABLE: Multiple packages without verification
- name: Install multiple packages unsafely
ansible.builtin.dnf:
name:
- untrusted-tool
- legacy-software
- custom-application
state: present
disable_gpg_check: true # VULNERABLE: All packages unverified
# VULNERABLE: Package from untrusted repository
- name: Add untrusted repository
ansible.builtin.yum_repository:
name: untrusted-repo
description: Untrusted Package Repository
baseurl: http://untrusted.example.com/packages/
enabled: yes
gpgcheck: no # VULNERABLE: Repository without GPG checks
- name: Install from untrusted repository
ansible.builtin.dnf:
name: malicious-package
state: present
disable_gpg_check: yes # VULNERABLE: Double bypass
# VULNERABLE: Development packages without verification
- name: Install development tools unsafely
ansible.builtin.dnf:
name: "@Development Tools"
state: present
disable_gpg_check: yes # VULNERABLE: Group installation unverified# SECURE: Ansible dnf configuration with proper GPG verification
- name: Install packages securely with verification
hosts: all
tasks:
# SECURE: Configure repository with GPG verification
- name: Add trusted repository with GPG verification
ansible.builtin.yum_repository:
name: trusted-repo
description: Trusted Package Repository
baseurl: https://trusted.example.com/packages/
enabled: yes
gpgcheck: yes # SECURE: Enable GPG verification
gpgkey: https://trusted.example.com/GPG-KEY
# SECURE: Install package with GPG verification
- name: Install verified package
ansible.builtin.dnf:
name: custom-package
state: present
# SECURE: disable_gpg_check omitted or set to 'no'
# SECURE: Install multiple packages with verification
- name: Install multiple verified packages
ansible.builtin.dnf:
name:
- trusted-tool
- legacy-software
- custom-application
state: present
disable_gpg_check: no # SECURE: Explicitly enable verification
# SECURE: Install development tools with verification
- name: Install development tools securely
ansible.builtin.dnf:
name: "@Development Tools"
state: present
disable_gpg_check: false # SECURE: Verify all group packages💡 Why This Fix Works
Why it happens
Ansible dnf tasks are configured with disable_gpg_check: true to bypass package signature validation, allowing installation of unsigned or tampered packages that could contain malicious code or backdoors.
Root causes
Fixes
Detect This Vulnerability in Your Code
Sourcery automatically identifies remote code execution due to disabled gpg verification in ansible dnf task and many other security issues in your codebase.