ComplianceAsCode · jan-cerny · Dec 12, 2025 · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025
diff --git a/components/sequoia.yml b/components/sequoia.yml
@@ -0,0 +1,5 @@
+name: sequoia
+packages:
+- sequoia-sq
+rules:
+- package_sequoia-sq_installed
diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -1255,6 +1255,8 @@ controls:
           - ensure_gpgcheck_globally_activated
           - ensure_gpgcheck_local_packages
           - ensure_redhat_gpgkey_installed
+          # this is relevant for RHEL only
+          - package_sequoia-sq_installed
           - ensure_oracle_gpgkey_installed
           - ensure_almalinux_gpgkey_installed
 

diff --git a/controls/e8.yml b/controls/e8.yml
@@ -25,6 +25,8 @@ controls:
           - package_squid_removed
           - service_squid_disabled
           - ensure_redhat_gpgkey_installed
+          # the rule ensure_redhat_gpgkey_installed needs a special package on RHEL 10 which is not installed by default
+          - package_sequoia-sq_installed
           - ensure_gpgcheck_never_disabled
           - ensure_gpgcheck_local_packages
           - ensure_gpgcheck_globally_activated

diff --git a/controls/hipaa.yml b/controls/hipaa.yml
@@ -171,6 +171,8 @@ controls:
           - ensure_gpgcheck_never_disabled
           - ensure_gpgcheck_repo_metadata
           - ensure_redhat_gpgkey_installed
+          # This is needed for RHEL 10
+          - package_sequoia-sq_installed
           - ensure_suse_gpgkey_installed
           - ensure_almalinux_gpgkey_installed
       status: automated

diff --git a/controls/ism_o.yml b/controls/ism_o.yml
@@ -604,6 +604,7 @@ controls:
           - ensure_gpgcheck_local_packages
           - ensure_gpgcheck_never_disabled
           - ensure_redhat_gpgkey_installed
+          - package_sequoia-sq_installed
           - ensure_oracle_gpgkey_installed
           - dnf-automatic_security_updates_only
       status: automated

diff --git a/controls/ospp.yml b/controls/ospp.yml
@@ -448,6 +448,8 @@ controls:
           - ensure_gpgcheck_local_packages
           - ensure_gpgcheck_never_disabled
           - ensure_redhat_gpgkey_installed
+          # This package is needed for RHEL 10
+          - package_sequoia-sq_installed
       status: automated
 
     - id: FPT_TUD_EXT.2
@@ -462,6 +464,8 @@ controls:
           - ensure_gpgcheck_local_packages
           - ensure_gpgcheck_never_disabled
           - ensure_redhat_gpgkey_installed
+          # This package is needed for RHEL 10
+          - package_sequoia-sq_installed
       status: automated
 
     - id: FPT_TST_EXT.1

diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
@@ -1556,6 +1556,8 @@ controls:
             status: automated
             rules:
                 - ensure_redhat_gpgkey_installed
+                # This package is needed for RHEL 10
+                - package_sequoia-sq_installed
                 - ensure_suse_gpgkey_installed
                 - ensure_almalinux_gpgkey_installed
                 - ensure_gpgcheck_globally_activated

diff --git a/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml b/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml
@@ -1,8 +1,8 @@
 controls:
    -   id: SRG-OS-000366-GPOS-00153
        levels:
            - high
        title: {{{ full_name }}} must prevent the installation of patches, service packs,
            device drivers, or operating system components without verification they have
            been digitally signed using a certificate that is recognized and approved by the
            organization.
@@ -17,6 +17,7 @@
             {{% endif %}}
             {{% if 'rhel' in product %}}
             - ensure_redhat_gpgkey_installed
+            - package_sequoia-sq_installed
             {{% endif %}}
             {{% if 'ol' in families %}}
             - ensure_oracle_gpgkey_installed

diff --git a/linux_os/guide/system/software/system-tools/package_sequoia-sq_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_sequoia-sq_installed/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Install sequoia-sq Package'
+
+description: |-
+    {{{ describe_package_install(package="sequoia-sq") }}}
+
+rationale: |-
+    The <tt>sequoia-sq</tt> package provides the <tt>sq</tt> command-line tool,
+    which is used for OpenPGP operations including verification of GPG signatures.
+    This tool is required for cryptographic verification of software packages and
+    GPG keys using modern OpenPGP implementations.
+
+severity: low
+
+identifiers:
+    cce@rhel10: CCE-86458-7
+
+references:
+    hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i)
+    ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
+    srg: SRG-OS-000366-GPOS-00153
+
+ocil_clause: 'the package is not installed'
+
+ocil: '{{{ ocil_package(package="sequoia-sq") }}}'
+
+template:
+    name: package_installed
+    vars:
+        pkgname: sequoia-sq
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
@@ -3,33 +3,53 @@
 # strategy = restrict
 # complexity = medium
 # disruption = medium
-- name: "Read permission of GPG key directory"
+- name: "{{{ rule_title }}}: Read permission of GPG key directory"
   ansible.builtin.stat:
     path: /etc/pki/rpm-gpg/
   register: gpg_key_directory_permission
   check_mode: no
 
 # It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well.
 
-- name: Read signatures in GPG key
+{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
+# RHEL >= 10: Use sq command from sequoia-sq package
+- name: "{{{ rule_title }}}:  Read signatures in GPG key using sq"
+  ansible.builtin.command: sq inspect /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+  changed_when: false
+  failed_when: False
+  check_mode: no
+  register: gpg_fingerprints
+
+- name: "{{{ rule_title }}}: Set Fact - Installed GPG Fingerprints (sq format)"
+  ansible.builtin.set_fact:
+    gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('Fingerprint:\\s*([0-9A-Fa-f]+)', '\\1') | list }}"
+{{% else %}}
+# RHEL 8, 9 and other versions: Use gpg command
+
+- name: "{{{ rule_title }}}: Read signatures in GPG key"
   # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10
   ansible.builtin.command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
   changed_when: False
   register: gpg_fingerprints
   failed_when: False
   check_mode: no
 
-- name: Set Fact - Installed GPG Fingerprints
+- name: "{{{ rule_title }}}: Set Fact - Installed GPG Fingerprints"
   ansible.builtin.set_fact:
-    gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}"
+    gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}"
+
+{{% endif %}}
 
-- name: Set Fact - Valid fingerprints
+- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints"
   ansible.builtin.set_fact:
     gpg_valid_fingerprints:
     - "{{{ release_key_fingerprint }}}"
     - "{{{ auxiliary_key_fingerprint }}}"
+{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
+    - "{{{ pqc_key_fingerprint }}}"
+{{% endif %}}
 
-- name: Import RedHat GPG key
+- name: "{{{ rule_title }}}: Import RedHat GPG key"
   ansible.builtin.rpm_key:
     state: present
     key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
@@ -2,6 +2,9 @@
 # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
 readonly REDHAT_RELEASE_FINGERPRINT="{{{ release_key_fingerprint }}}"
 readonly REDHAT_AUXILIARY_FINGERPRINT="{{{ auxiliary_key_fingerprint }}}"
+{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
+readonly REDHAT_PQC_FINGERPRINT="{{{ pqc_key_fingerprint }}}"
+{{% endif %}}
 
 # Location of the key we would like to import (once it's integrity verified)
 readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
@@ -13,12 +16,20 @@ if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
 then
   # If they are safe, try to obtain fingerprints from the key file
   # (to ensure there won't be e.g. CRC error).
+{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
+  readarray -t GPG_OUT < <(sq inspect "$REDHAT_RELEASE_KEY" | grep Fingerprint: | cut -d ":" -f 2)
+{{% else %}}
   readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10)
+{{% endif %}}
   GPG_RESULT=$?
   # No CRC error, safe to proceed
   if [ "${GPG_RESULT}" -eq "0" ]
   then
+{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
+    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}|${REDHAT_PQC_FINGERPRINT}" || {
+{{% else %}}
     echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
+{{% endif %}}
       # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
       rpm --import "${REDHAT_RELEASE_KEY}"
     }

diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
@@ -10,10 +10,12 @@
         </criteria>
         <criterion comment="package gpg-pubkey-{{{ pkg_version }}}-{{{ pkg_release }}} is installed"
         test_ref="test_redhat_package_gpgkey-{{{ pkg_version }}}-{{{ pkg_release }}}_installed" />
-        <criteria comment="Auxiliary Red Hat Key Installed" operator="OR">
           <criterion comment="package gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}} is installed"
           test_ref="test_redhat_package_gpgkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}_installed" />
-        </criteria>
+{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
+          <criterion comment="package gpg-pubkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}} is installed"
+          test_ref="test_redhat_package_gpgkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}}_installed" />
+{{% endif %}}
       </criteria>
       {{%- if centos_major_version %}}
       <criteria comment="CentOS Vendor Keys" operator="AND">
@@ -57,6 +59,21 @@
     <linux:version>{{{ aux_pkg_version }}}</linux:version>
   </linux:rpminfo_state>
 
+{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
+  <!-- Test for Red Hat post quantum cryptography key -->
+  <linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
+  id="test_redhat_package_gpgkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}}_installed" version="1"
+  comment="Red Hat post quantum cryptography key package is installed">
+    <linux:object object_ref="object_redhat_package_gpg-pubkey" />
+    <linux:state state_ref="state_redhat_package_gpg-pubkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}}" />
+  </linux:rpminfo_test>
+
+  <linux:rpminfo_state id="state_redhat_package_gpg-pubkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}}" version="1">
+    <linux:release>{{{ pqc_pkg_release }}}</linux:release>
+    <linux:version>{{{ pqc_pkg_version }}}</linux:version>
+  </linux:rpminfo_state>
+{{%endif %}}
+
   {{%- if centos_major_version %}}
   <linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
   id="test_redhat_package_gpgkey-{{{ centos_pkg_version }}}-{{{ centos_pkg_release }}}_installed" version="1"

@@ -1,5 +1,5 @@
 #!/bin/bash
 #
-# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10
 
 rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
@@ -1,5 +1,8 @@
 #!/bin/bash
 #
+{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
+# packages = sequoia-sq
+{{% endif %}}
 
 # remove all available keys
 

diff --git a/products/alinux2/profiles/pci-dss.profile b/products/alinux2/profiles/pci-dss.profile
@@ -25,6 +25,7 @@ selections:
     - '!set_loopback_traffic'
     - '!timer_logrotate_enabled'
     - '!ensure_redhat_gpgkey_installed'
+    - '!package_sequoia-sq_installed'
     # Following rules once had a prodtype incompatible with the alinux2 product
     - '!auditd_data_retention_space_left'
     - '!grub2_audit_backlog_limit_argument'

diff --git a/products/alinux3/profiles/pci-dss.profile b/products/alinux3/profiles/pci-dss.profile
@@ -32,6 +32,7 @@ selections:
     - '!package_rsh_removed'
     - '!package_rsh-server_removed'
     - '!ensure_redhat_gpgkey_installed'
+    - '!package_sequoia-sq_installed'
     # Following rules once had a prodtype incompatible with the alinux3 product
     - '!auditd_data_retention_space_left'
     - '!set_firewalld_default_zone'

diff --git a/products/almalinux9/profiles/anssi_bp28_enhanced.profile b/products/almalinux9/profiles/anssi_bp28_enhanced.profile
@@ -46,6 +46,7 @@ selections:
     - '!cracklib_accounts_password_pam_dcredit'
     - '!ensure_oracle_gpgkey_installed'
     - '!ensure_redhat_gpgkey_installed'
+    - '!package_sequoia-sq_installed'
     - '!package_kea_removed'
     - '!file_groupowner_efi_grub2_cfg'
     - '!file_owner_efi_grub2_cfg'

diff --git a/products/almalinux9/profiles/anssi_bp28_high.profile b/products/almalinux9/profiles/anssi_bp28_high.profile
@@ -49,6 +49,7 @@ selections:
     - '!cracklib_accounts_password_pam_dcredit'
     - '!ensure_oracle_gpgkey_installed'
     - '!ensure_redhat_gpgkey_installed'
+    - '!package_sequoia-sq_installed'
     - '!package_kea_removed'
     - '!audit_rules_file_deletion_events_renameat2'
     - '!audit_rules_dac_modification_fchmodat2'

diff --git a/products/almalinux9/profiles/anssi_bp28_intermediary.profile b/products/almalinux9/profiles/anssi_bp28_intermediary.profile
@@ -39,6 +39,7 @@ selections:
   - '!sudo_add_env_reset'
   - '!ensure_oracle_gpgkey_installed'
   - '!ensure_redhat_gpgkey_installed'
+  - '!package_sequoia-sq_installed'
   - '!package_kea_removed'
   - '!ldap_client_tls_cacertpath'
   - '!ldap_client_start_tls'

diff --git a/products/almalinux9/profiles/anssi_bp28_minimal.profile b/products/almalinux9/profiles/anssi_bp28_minimal.profile
@@ -32,4 +32,5 @@ selections:
   - '!accounts_passwords_pam_tally2_unlock_time'
   - '!ensure_oracle_gpgkey_installed'
   - '!ensure_redhat_gpgkey_installed'
+  - '!package_sequoia-sq_installed'
   - '!package_kea_removed'
diff --git a/products/almalinux9/profiles/pci-dss.profile b/products/almalinux9/profiles/pci-dss.profile
@@ -61,6 +61,7 @@ selections:
     - '!accounts_passwords_pam_tally2'
     - '!ensure_suse_gpgkey_installed'
     - '!ensure_redhat_gpgkey_installed'
+    - '!package_sequoia-sq_installed'
     - '!gnome_gdm_disable_unattended_automatic_login'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!cracklib_accounts_password_pam_minlen'

diff --git a/products/anolis23/profiles/pci-dss.profile b/products/anolis23/profiles/pci-dss.profile
@@ -35,6 +35,7 @@ selections:
     - '!package_rsh_removed'
     - '!package_rsh-server_removed'
     - '!ensure_redhat_gpgkey_installed'
+    - '!package_sequoia-sq_installed'
     # Following rules once had a prodtype incompatible with the anolis23 product
     - '!auditd_data_retention_space_left'
     - '!set_firewalld_default_zone'

diff --git a/products/anolis8/profiles/pci-dss.profile b/products/anolis8/profiles/pci-dss.profile
@@ -32,6 +32,7 @@ selections:
     - '!package_rsh_removed'
     - '!package_rsh-server_removed'
     - '!ensure_redhat_gpgkey_installed'
+    - '!package_sequoia-sq_installed'
     # Following rules once had a prodtype incompatible with the anolis8 product
     - '!auditd_data_retention_space_left'
     - '!set_firewalld_default_zone'

diff --git a/products/debian12/profiles/anssi_bp28_enhanced.profile b/products/debian12/profiles/anssi_bp28_enhanced.profile
@@ -44,6 +44,7 @@ selections:
   # Following rules once had a prodtype incompatible with the debian12 product
   - '!accounts_passwords_pam_tally2_deny_root'
   - '!ensure_redhat_gpgkey_installed'
+  - '!package_sequoia-sq_installed'
   - '!set_password_hashing_algorithm_systemauth'
   - '!package_dnf-automatic_installed'
   - '!dnf-automatic_security_updates_only'

diff --git a/products/debian12/profiles/anssi_bp28_high.profile b/products/debian12/profiles/anssi_bp28_high.profile
@@ -44,6 +44,7 @@ selections:
   # Following rules once had a prodtype incompatible with the debian12 product
   - '!accounts_passwords_pam_tally2_deny_root'
   - '!ensure_redhat_gpgkey_installed'
+  - '!package_sequoia-sq_installed'
   - '!set_password_hashing_algorithm_systemauth'
   - '!package_dnf-automatic_installed'
   - '!dnf-automatic_security_updates_only'

diff --git a/products/debian12/profiles/anssi_bp28_intermediary.profile b/products/debian12/profiles/anssi_bp28_intermediary.profile
@@ -36,6 +36,7 @@ selections:
   # Following rules once had a prodtype incompatible with the debian12 product
   - '!accounts_passwords_pam_tally2_deny_root'
   - '!ensure_redhat_gpgkey_installed'
+  - '!package_sequoia-sq_installed'
   - '!set_password_hashing_algorithm_systemauth'
   - '!package_dnf-automatic_installed'
   - '!dnf-automatic_security_updates_only'

diff --git a/products/debian12/profiles/anssi_bp28_minimal.profile b/products/debian12/profiles/anssi_bp28_minimal.profile
@@ -23,6 +23,7 @@ selections:
   # Following rules once had a prodtype incompatible with the debian12 product
   - '!accounts_passwords_pam_tally2_deny_root'
   - '!ensure_redhat_gpgkey_installed'
+  - '!package_sequoia-sq_installed'
   - '!set_password_hashing_algorithm_systemauth'
   - '!package_dnf-automatic_installed'
   - '!dnf-automatic_security_updates_only'

diff --git a/products/debian13/profiles/anssi_bp28_enhanced.profile b/products/debian13/profiles/anssi_bp28_enhanced.profile
@@ -48,6 +48,7 @@ selections:
   # Following rules aren't compatible with Debian 13
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!ensure_redhat_gpgkey_installed'
+    - '!package_sequoia-sq_installed'
     - '!set_password_hashing_algorithm_systemauth'
     - '!package_dnf-automatic_installed'
     - '!dnf-automatic_security_updates_only'

diff --git a/products/debian13/profiles/anssi_bp28_high.profile b/products/debian13/profiles/anssi_bp28_high.profile
@@ -44,6 +44,7 @@ selections:
   # Following rules aren't compatible with Debian 13
   - '!accounts_passwords_pam_tally2_deny_root'
   - '!ensure_redhat_gpgkey_installed'
+  - '!package_sequoia-sq_installed'
   - '!set_password_hashing_algorithm_systemauth'
   - '!package_dnf-automatic_installed'
   - '!dnf-automatic_security_updates_only'

diff --git a/products/debian13/profiles/anssi_bp28_intermediary.profile b/products/debian13/profiles/anssi_bp28_intermediary.profile
@@ -34,6 +34,7 @@ selections:
   # Following rules aren't compatible with Debian 13
   - '!accounts_passwords_pam_tally2_deny_root'
   - '!ensure_redhat_gpgkey_installed'
+  - '!package_sequoia-sq_installed'
   - '!set_password_hashing_algorithm_systemauth'
   - '!package_dnf-automatic_installed'
   - '!dnf-automatic_security_updates_only'

diff --git a/products/debian13/profiles/anssi_bp28_minimal.profile b/products/debian13/profiles/anssi_bp28_minimal.profile
@@ -23,6 +23,7 @@ selections:
   # Following rules aren't compatible with Debian 13
   - '!accounts_passwords_pam_tally2_deny_root'
   - '!ensure_redhat_gpgkey_installed'
+  - '!package_sequoia-sq_installed'
   - '!set_password_hashing_algorithm_systemauth'
   - '!package_dnf-automatic_installed'
   - '!dnf-automatic_security_updates_only'

@@ -21,6 +21,7 @@ selections:
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!install_PAE_kernel_on_x86-32'
     - '!ensure_redhat_gpgkey_installed'
+    - '!package_sequoia-sq_installed'
     - '!ensure_almalinux_gpgkey_installed'
     - '!package_dracut-fips-aesni_installed'
     - '!cracklib_accounts_password_pam_lcredit'