---
id: V-38462
status: implemented
tag: package
---

All versions of Ubuntu and CentOS supported by the role verify packages against
GPG signatures by default.

Deployers can disable GPG verification for all packages in Ubuntu by setting
the ``AllowUnauthenticated`` configuration option in a file within
``/etc/apt/apt.conf.d/``. The Ansible tasks will search for this configuration
option and will stop the playbook execution if the option is set. Note
that users can pass an argument on the apt command line to bypass the checks as
well, but that's outside the scope of this check and remediation.

In CentOS, deployers can set ``gpgcheck=0`` within individual yum repository
files in ``/etc/yum.repos.d/`` to disable GPG signature checking. The Ansible
tasks will check for this configuration option in those files and stop the
playbook execution.

Deployers can use ``--skip-tags V-38462`` to omit these tasks when applying the
security role on systems where GPG verification must be disabled.