Verifying package signatures

Table of Contents

On the Download CFEngine, you will find sha256 checksums of all downloadable files which you can verify by using sha256sum tool.

In addition to this, *.deb and *.rpm packages (with the exception of AIX rpms) are cryptographically signed using gpg.

Validating signature of RPM

NOTE: AIX rpms currently are NOT signed because it's not supported on older versions of AIX.

  1. Import the public GPG key.
# rpm --import https://cfengine-package-repos.s3.amazonaws.com/pub/gpg.key
  1. Validate the signature.
# rpm -K ./cfengine-nova-hub-3.12.2-2.x86_64.rpm 
./cfengine-nova-hub-3.12.2-2.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

NOTE: If you don't import the public key first, you will get an error about the key missing:

# rpm -K ./cfengine-nova-hub-3.12.2-2.x86_64.rpm 
./cfengine-nova-hub-3.12.2-2.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#a86e7afa) 

Validating signature of DEB

  1. Import the public GPG key.
# wget https://cfengine-package-repos.s3.amazonaws.com/pub/gpg.key
# mkdir /usr/share/debsig/keyrings/7061B663A86E7AFA
# gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/7061B663A86E7AFA/debsig.gpg --import gpg.key
  1. Create a policy.
# mkdir /etc/debsig/policies/7061B663A86E7AFA
# cat >/etc/debsig/policies/7061B663A86E7AFA/cfengine3.pol
<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "http://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="http://www.debian.org/debsig/1.0/">
  <Origin Name="cfengine3" id="7061B663A86E7AFA" Description="CFEngine 3"/>
  <Selection>
    <Required Type="origin" File="debsig.gpg" id="7061B663A86E7AFA"/>
  </Selection>
  <Verification MinOptional="0">
    <Required Type="origin" File="debsig.gpg" id="7061B663A86E7AFA"/>
  </Verification>
</Policy>
^D
  1. Validate the signature.
# debsig-verify cfengine-nova-hub_3.12.2-2_amd64.deb
debsig: Verified package from 'CFEngine 3' (cfengine3)