Many people think Linux is super safe and nobody can hack it but this is very wrong because if you have bad package hygiene your system will get very messy and unsafe. If you install packages from bad places or if you do not check security key then bad people can put virus inside your computer. I want to show you how to make your Fedora or Red Hat system very strong by checking GPG keys and locking things so nobody can change them not even root user if they are sneaky. This guide is easy to follow and I explain everything step by step so you can do it too on your laptop even if you are new to Linux.
First thing we must do is check GPG configuration in our DNF package manager. DNF is the tool that download software for us but it needs to verify if the software is real and not fake. This is what GPG check does because it is like a secret signature on the package. If the signature is wrong DNF will say no I don’t install this software because someone modified it.
Step 1: Check your DNF configuration file for GPG settings. The configuration file is located at /etc/dnf/dnf.conf on your computer. You must run a command to search inside this file to see if GPG checks is active. Run this command in your terminal:
grep -E "^gpgcheck|^localpkg_gpgcheck|^repo_gpgcheck" /etc/dnf/dnf.conf
This command uses grep to search for three important lines. You want to see gpgcheck=1 or gpgcheck=True and also the same for local packages and repo checks. If you do not see them or if they are set to 0 then your system is not safe because it will install unsigned packages. If they are missing you must open the file with a text editor like nano and write them inside.
Step 2: Lock the configuration file so nobody can change it. Sometimes bad scripts or malware try to modify your DNF config to disable GPG checks so they can install bad tools without you knowing. You can make the file impossible to change. We use a special tool called chattr with the +i option. This option make the file immutable which means nobody can write to it or delete it not even the root superuser. Run this command:
sudo chattr +i /etc/dnf/dnf.conf
Only do this if you are sure your configuration is final and you don’t want to change it. If you need to change your DNF configuration later you must run sudo chattr -i /etc/dnf/dnf.conf to unlock it first.
Step 3: Verify if the file is locked. To make sure the lock is active you run this command:
lsattr /etc/dnf/dnf.conf
You must look at the output. If you see a letter ‘i’ in the list of characters then it means the file is locked and safe. If you see only dashes then the lock did not work and you must try again.
Now we must audit our package repositories. Repositories are servers where your computer download software. If you have bad repositories enabled on your system you might download bad software. We must check every repository that is enabled on our computer.
Step 1: Run this command to see all enabled repositories:
sudo dnf5 repo list --enabled
This will print a list of repos. Look at them carefully. If you see something you do not know or did not install yourself then it is bad and you must investigate.
Step 2: We can get more details about the repositories like their website URLs by using a python command because DNF5 can output JSON format which is easier to read for scripts. Run this command in your terminal:
sudo dnf5 repolist --enabled --quiet --json | python3 -c \
"import json,sys; [print(r['id'],r.get('baseurl','')) for r in json.load(sys.stdin)]"
This command is very good because it tells DNF5 to give JSON data and then Python reads it and print only the ID and the URL website. Check every website in the list to make sure they are official sites like Fedora or trusted third parties.
Step 3: We also need to check the GPG keys that are installed in our RPM database. Sometimes old keys stay there even if we don’t use the repository anymore. These are called orphan keys. Run this command:
rpm -q --qf '%{nvra} %{summary}\n' gpg-pubkey-*
This will print all GPG keys. Look at the summaries. It should tell you who made the key like Fedora or Google or Microsoft. If you see a key from a repository you deleted long ago then it is an orphan key.
Step 4: If you find a repository that you do not want or do not trust you must disable it right away. Run this command:
sudo dnf5 config-manager disable repo_id
You must replace repo_id with the actual name of the bad repository you found in the list.
Step 5: If you found an old GPG key that belongs to nothing you can delete it with this command:
sudo rpm -e gpg-pubkey-NNN
Replace gpg-pubkey-NNN with the key name you saw in the list. This makes your system clean and only trust keys that are really needed.
Updating your computer is boring and sometimes you forget to do it. But security updates are super important because hackers find new bugs every day. We can make DNF5 download and install security updates automatically without asking us. This is very good for lazy people.
Step 1: We must install the automatic update plugin for DNF5. Run this command:
sudo dnf5 install -y dnf5-plugin-automatic
This will download the plugin and install it on your system.
Step 2: Now we must configure the plugin. The configuration file is /etc/dnf/automatic.conf. We want to change three settings inside this file. We want to tell it to only do security updates because if it does all updates it might break some software we use. We also tell it to download and apply updates automatically. We can use sed to make these changes fast without opening text editor. Run these three commands:
sudo sed -i 's/^upgrade_type.*/upgrade_type = security/' /etc/dnf/automatic.conf
sudo sed -i 's/^download_updates.*/download_updates = yes/' /etc/dnf/automatic.conf
sudo sed -i 's/^apply_updates.*/apply_updates = yes/' /etc/dnf/automatic.conf
The first command search for upgrade_type and change it to security so you only get important security fixes. The second command makes sure it downloads the updates. The third command makes sure it installs them automatically. This is very good because you don’t have to do anything.
Step 3: Now we must start the automatic timer so systemd knows it needs to run this task. Run this command:
sudo systemctl enable --now dnf-automatic.timer
This will enable the timer and start it right now so it runs in the background.
Step 4: To make sure the timer is running and see when it will run next you can use this command:
sudo systemctl list-timers dnf-automatic --no-pager
This will show you a list with the time remaining before the next check. It usually runs every day so your system stays very safe.
If you use desktop Linux like Fedora Workstation you probably use Flatpak. Flatpak is very good because it runs apps in sandboxes. Sandbox means the app is isolated from your real system files. But many app developers are lazy and they request too many permissions. For example a music player might ask for permission to see all your files in your home directory or even use your network when it doesn’t need to. This is bad because if the app gets hacked the hacker can read all your personal files.
Step 1: First we should see what permissions our installed Flatpak apps have. Run this command in your terminal:
flatpak list --app --columns=application,permissions
This will show you a list of all your Flatpak apps and a long list of permissions they have. Some permissions say filesystem=host or filesystem=home. This means the app can read your files. Some say network which means the app can go online.
Step 2: To manage these permissions easily we should install a special GUI tool called Flatseal. Flatseal is very good and simple. You can install it from Flathub using this command:
flatpak install -y flathub com.github.tchx84.Flatseal
This will install Flatseal on your computer.
Step 3: After it is installed open Flatseal from your application menu. You will see a list of all your Flatpak apps on the left side. Click on an app you want to check. On the right side you will see many switches for different permissions. You should turn off permissions that the app does not need. For example if you have an image viewer you can turn off network because it does not need internet to show local pictures. If you have a media player or a game you can turn off filesystem=host and filesystem=home so it cannot read your private documents. By doing this you make sure the app works but it cannot spy on your computer or access files it should not touch. It is very simple to do and makes your desktop much more secure.
In conclusion keeping your package manager and flatpaks clean is super important for your computer safety. If you follow this guide you will have automatic security updates and locked DNF settings so nobody can mess with them. You also make your Flatpaks secure by using Flatseal to disable bad permissions. This makes your computer much stronger against hackers and bad bugs.