SA-10(1) says:

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.

For containers, we can check the signatures and it's planned with another ticket, but for some reason (rpm-ostree doesn't support that?) the rules are disabled in the rhcos4 moderate profile.

We need to figure out what does RHCOS do for validating the integrity of packages and images. Is a signature checked somewhere? Does this exclusively come from the ostree hash? 

Acceptance criteria:

• ask the rpm-ostree team about how is the sha hash of the ostree tree computed and if it can be used for integrity check instead
• in general it's the contents of the package or rather the CoreOS image or the tree, is the hash something we can use?
• the answers to the above will likely provide a verbiage that we can use as an answer for this control