Formats/Red Hat RPM

Secure, auditable Red Hat RPM repositories for engineering teams

Engineering teams consuming RPM packages from the official RHEL registry face real supply chain risk. Cloudsmith gives you a controlled, private proxy layer in front of upstream Red Hat repositories - with CVE scanning, GPG signing, entitlement token access control, and full audit logs across every package install.

Universal format support

One registry, every artifact your Linux infrastructure depends on. Cloudsmith sits in front of RHEL and keeps your supply chain clean.

  • Use Red Hat RPM + 30 other formats in one place
  • Proxy and cache packages from upstream RHEL registries with full CVE scanning on every pull
  • Centrally manage RPM packages alongside containers, Helm charts, and raw binaries

How we support Red Hat RPM

Cloudsmith gives engineering teams consuming RPM packages from RHEL a controlled, secure, and observable proxy layer - without adding operational overhead.
    Upstream proxying and caching
    Configure Cloudsmith as a controlled proxy in front of official RHEL repositories. All requests flow through your private layer, where packages are scanned and cached for future installs - eliminating direct exposure to public registries.
    CVE and malware scanning
    Every RPM package pulled through Cloudsmith is scanned for known CVEs and malware. Set automated policies to quarantine or block packages that breach your severity threshold before they reach any machine.
    Automatic GPG signing
    RPM packages are signed with a GPG key on upload to Cloudsmith. Bring your own custom GPG or RSA key, or use Cloudsmith's managed signing - ensuring every package your systems install is cryptographically verified.
    Entitlement token access control
    Issue scoped, read-only entitlement tokens to grant teams and CI systems precisely the access they need. Combine with SAML, OIDC, and SCIM to enforce zero-trust access across your entire RPM distribution workflow.
    Low-latency global distribution
    Packages are served from 600+ edge points of presence worldwide. Engineers in any region pull RPMs at low latency without the need to self-host regional mirrors or manage infrastructure.

Why teams choose Cloudsmith for Red Hat RPM

Pulling RPMs directly from public RHEL registries leaves teams exposed to unscanned vulnerabilities, dependency confusion, and zero visibility. Cloudsmith puts a hardened, observable layer between your engineers and upstream.
Without CloudsmithEngineers pull RPMs directly from upstream RHEL repositories with no inspection layer. A vulnerable or tampered package is installed across your fleet before anyone knows it exists.
With CloudsmithEvery RPM passes through Cloudsmith's proxy, where CVE scanning runs automatically. Packages that breach your policy are quarantined before they reach a single machine.
Without CloudsmithDependency confusion attacks go undetected. Your build systems reach out to public registries and can be tricked into pulling attacker-controlled packages when namespace collisions occur.
With CloudsmithCloudsmith isolates your internal packages from upstream registries. Local packages always take precedence and your build systems never reach a public registry directly.
Without CloudsmithThere is no audit trail for which package version was installed on which system, by whom, or when. Responding to a new CVE disclosure means guessing at your exposure across hundreds of hosts.
With CloudsmithFull client and audit logs give you a complete, queryable record of every RPM install. When a new CVE lands, you know exactly which systems are affected within seconds.

Signs you're ready to switch to Cloudsmith for Red Hat RPM

If your team manages RHEL-based infrastructure at scale, the gaps in self-hosted or unmanaged RPM workflows grow fast. Here is what teams typically hit before they move to Cloudsmith.
    No inspection on upstream pulls
    Packages fetched directly from public RHEL or third-party RPM mirrors arrive with no CVE or malware check. Cloudsmith scans every package at the proxy layer so nothing unvetted reaches your hosts.
    Fragile or missing package signing
    Managing GPG keys manually across distributed teams is error-prone. Cloudsmith signs every RPM automatically on ingest and lets you bring your own key, removing a common point of failure in verifying package integrity.
    Self-hosted mirror infrastructure
    Running Spacewalk, Pulp, or on-premises Nexus to mirror RHEL repos means ongoing patching, storage management, and availability risk. Cloudsmith is fully managed - no instances to run, no downtime to plan for.
    Slow installs for distributed or remote teams
    Engineers in distant regions or air-gapped environments wait on a single central mirror. Cloudsmith's 600+ PoP edge network delivers RPMs at low latency to any location without additional mirror configuration.
    No visibility into CVE exposure
    When a critical vulnerability like xz/liblzma (CVE-2024-3094) lands, you need to know immediately which hosts installed the affected version. Without Cloudsmith's audit logs and analytics, that answer takes days.

Get started with Red Hat RPM on Cloudsmith

Frequently asked questions

  1. Yes. You can configure Cloudsmith as an upstream proxy in front of any Red Hat repository, including the official RHEL registry and third-party RPM sources. Packages that are not already cached in your Cloudsmith repository are fetched from the upstream on demand, scanned, and optionally cached for future requests.

  2. Yes. Vulnerability scanning is available for all supported packages in a repository. When enabled, every RPM package - whether uploaded directly or pulled through an upstream proxy - is scanned for known CVEs. You can set automated quarantine and block policies based on severity so that high-risk packages never reach your hosts.

  3. Cloudsmith automatically signs RPM packages with a GPG key on upload. You can use Cloudsmith's managed signing key or provide your own custom GPG or RSA key. The public key is served alongside your repository configuration so that tools like yum, dnf, and zypper can verify package integrity on install.

  4. Cloudsmith isolates your internal packages from public upstream registries. Locally uploaded packages always take precedence over upstream-proxied packages. By routing all installs through Cloudsmith, your build systems and hosts never reach a public registry directly, eliminating the namespace collision risk that enables dependency confusion attacks.

  5. Cloudsmith supports all major RPM-based distributions, including Red Hat Enterprise Linux (RHEL), CentOS, Fedora, Amazon Linux, Rocky Linux, AlmaLinux, and openSUSE/SUSE Linux Enterprise. Setup configuration scripts are available for yum, dnf, and zypper package managers.

  6. Cloudsmith supports entitlement token authentication and HTTP Basic Authentication for private repositories. Entitlement tokens can be scoped to read-only access, making them safe to use in CI pipelines and deployment scripts. You can also integrate with SAML, OIDC, and SCIM for enterprise identity management.

  7. Yes. Cloudsmith captures full client and audit logs for every package request, giving you a timestamped, queryable record of which package versions were pulled, by which token, from which IP. When a CVE is disclosed, you can identify all affected hosts immediately rather than guessing at exposure.

  8. Yes. Cloudsmith is a fully managed service with no infrastructure for you to operate. Teams migrating from self-hosted solutions such as Pulp, Spacewalk, or on-premises Nexus can point their yum or dnf configuration at Cloudsmith repositories and benefit from automatic scaling, 99.99% availability SLAs, and a global CDN without running a single server.

  9. Cloudsmith uses elastic load balancing and a globally distributed CDN with 600+ points of presence to serve packages at low latency to any region. Capacity scales automatically with demand, so there are no instances to provision and no planned maintenance windows that affect package availability.

  10. Yes. Cloudsmith's package analytics and audit logs provide the traceability data needed to support compliance programs. Every package in your repository has a full provenance record. Combined with vulnerability scanning results, this gives your security team the visibility required to respond to audits and maintain accurate software bills of materials.

Formats

There’s more than just Red Hat RPM on Cloudsmith