Editing Package signatures
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | |||
− | |||
− | |||
− | |||
− | |||
All the packages that are released by OpenVZ project are digitally signed by OpenVZ GPG key. Thus, you can check that those packages are indeed came from OpenVZ. | All the packages that are released by OpenVZ project are digitally signed by OpenVZ GPG key. Thus, you can check that those packages are indeed came from OpenVZ. | ||
Line 29: | Line 24: | ||
== Checking RPM packages == | == Checking RPM packages == | ||
− | RPM package manager has a build-in GPG signatures support. Signatures are embedded into the .rpm files, and public keys are stored in an rpm database | + | RPM package manager has a build-in GPG signatures support. Signatures are embedded into the .rpm files, and public keys are stored in an rpm database In order to check OpenVZ RPM package signatures, you need to import OpenVZ public key to your RPM database. To that effect, do the following (usually you are required to be root): |
<pre> | <pre> | ||
# rpm --import RPM-GPG-Key-OpenVZ | # rpm --import RPM-GPG-Key-OpenVZ | ||
Line 44: | Line 39: | ||
=== Importing the public key === | === Importing the public key === | ||
− | First, you need to import OpenVZ public key to your GnuPG keychain. You can either import a local file, or search for the key on one of the public keyservers | + | First, you need to import OpenVZ public key to your GnuPG keychain. You can either import a local file, or search for the key on one of the public keyservers. |
==== From a local file ==== | ==== From a local file ==== | ||
Line 53: | Line 48: | ||
==== From the default keyserver ==== | ==== From the default keyserver ==== | ||
<pre> | <pre> | ||
− | $ gpg --search-keys | + | $ gpg --search-keys OpenVZ |
− | gpg: searching for " | + | gpg: searching for "OpenVZ" from hkp server subkeys.pgp.net |
− | (1) OpenVZ Project <security@openvz.org> | + | (1) OpenVZ Project <security@openvz.org> |
− | + | 1024 bit DSA key A7A1D4B6, created: 2005-09-14 | |
− | Keys 1-1 of 1 for " | + | Keys 1-1 of 1 for "OpenVZ". Enter number(s), N)ext, or Q)uit > 1 |
− | gpg: requesting key A7A1D4B6 from hkp server | + | gpg: requesting key A7A1D4B6 from hkp server subkeys.pgp.net |
− | + | ... | |
− | |||
− | |||
</pre> | </pre> | ||
Line 73: | Line 66: | ||
gpg: requesting key A7A1D4B6 from hkp server pgp.mit.edu | gpg: requesting key A7A1D4B6 from hkp server pgp.mit.edu | ||
... | ... | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</pre> | </pre> | ||
=== Checking the signature === | === Checking the signature === | ||
− | To check the signature, you need to have both the main file (e.g. the template tarball) and the signature file (the one which ends in <tt>.asc</tt> | + | To check the signature, you need to have both the main file (e.g. the template tarball) and the signature file (the one which ends in <tt>.asc</tt>. Assuming you want to check the signature of <tt>centos-4-i386-default.tar.gz</tt> file: |
− | |||
− | Assuming you want to check the signature of <tt>centos-4-i386-default.tar.gz</tt> file: | ||
<pre> | <pre> | ||
$ gpg --verify centos-4-i386-default.tar.gz.asc | $ gpg --verify centos-4-i386-default.tar.gz.asc |