Verifying package signatures
Table of contents
On the Download CFEngine, you will find
sha256 checksums of all downloadable files which you can verify by using
sha256sum
tool.
In addition to this, *.deb
and *.rpm
packages (with the exception of AIX rpms) are
cryptographically signed using gpg.
Validating signature of RPM
NOTE: AIX rpms currently are NOT signed because it's not supported on older versions of AIX.
- Import the public GPG key.
command
rpm --import https://cfengine-package-repos.s3.amazonaws.com/pub/gpg.key
- Validate the signature.
command
rpm -K ./cfengine-nova-hub-3.12.2-2.x86_64.rpm
output
./cfengine-nova-hub-3.12.2-2.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
NOTE: If you don't import the public key first, you will get an error about the key missing:
command
rpm -K ./cfengine-nova-hub-3.12.2-2.x86_64.rpm
output
./cfengine-nova-hub-3.12.2-2.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#a86e7afa)
Validating signature of DEB
- Import the public GPG key.
code
# wget https://cfengine-package-repos.s3.amazonaws.com/pub/gpg.key
# mkdir /usr/share/debsig/keyrings/7061B663A86E7AFA
# gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/7061B663A86E7AFA/debsig.gpg --import gpg.key
- Create a policy.
code
# mkdir /etc/debsig/policies/7061B663A86E7AFA
# cat >/etc/debsig/policies/7061B663A86E7AFA/cfengine3.pol
<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "http://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="http://www.debian.org/debsig/1.0/">
<Origin Name="cfengine3" id="7061B663A86E7AFA" Description="CFEngine 3"/>
<Selection>
<Required Type="origin" File="debsig.gpg" id="7061B663A86E7AFA"/>
</Selection>
<Verification MinOptional="0">
<Required Type="origin" File="debsig.gpg" id="7061B663A86E7AFA"/>
</Verification>
</Policy>
^D
- Validate the signature.
command
debsig-verify cfengine-nova-hub_3.12.2-2_amd64.deb
output
debsig: Verified package from 'CFEngine 3' (cfengine3)