Editing Package signatures
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | |||
− | |||
− | |||
− | |||
− | |||
All the packages that are released by OpenVZ project are digitally signed by OpenVZ GPG key. Thus, you can check that those packages are indeed came from OpenVZ. | All the packages that are released by OpenVZ project are digitally signed by OpenVZ GPG key. Thus, you can check that those packages are indeed came from OpenVZ. | ||
Line 11: | Line 6: | ||
'''Private key''' is the key that is available to OpenVZ stuff only and is protected by the passphrase. This key is used for signing the packages, so nobody else but OpenVZ stuff can sign them using this key. | '''Private key''' is the key that is available to OpenVZ stuff only and is protected by the passphrase. This key is used for signing the packages, so nobody else but OpenVZ stuff can sign them using this key. | ||
− | '''Public key''' is the key that is available to everyone and can | + | '''Public key''' is the key that is available to everyone and can be obtained from a number of places (e.g. [http://pgp.mit.edu/ MIT keyserver] — search for OpenVZ). Public key is used to verify the signature. |
=== OpenVZ public key === | === OpenVZ public key === | ||
OpenVZ public key is available from the several sources. We urge you to use a few different sources because chances are lower they all can be compromised at the same time. | OpenVZ public key is available from the several sources. We urge you to use a few different sources because chances are lower they all can be compromised at the same time. | ||
− | * [http:// | + | * [http://openvz.org/download/RPM-GPG-Key-OpenVZ.txt RPM-GPG-Key-OpenVZ] Main site |
* [http://download.openvz.org/RPM-GPG-Key-OpenVZ RPM-GPG-Key-OpenVZ] Download site | * [http://download.openvz.org/RPM-GPG-Key-OpenVZ RPM-GPG-Key-OpenVZ] Download site | ||
− | * [http:// | + | * [http://keyserv.nic-se.se:11371/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] keyserv.nic-se.se |
* [http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7A1D4B6 RPM-GPG-Key-OpenVZ] pgp.mit.edu | * [http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7A1D4B6 RPM-GPG-Key-OpenVZ] pgp.mit.edu | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Checking RPM packages == | == Checking RPM packages == | ||
− | + | In order to check OpenVZ RPM package signatures, you need to import OpenVZ public key to your RPM database. To that effect, do the following: | |
<pre> | <pre> | ||
# rpm --import RPM-GPG-Key-OpenVZ | # rpm --import RPM-GPG-Key-OpenVZ | ||
</pre> | </pre> | ||
− | Then, to check the packages, use this command | + | Then, to check the packages, use this command: |
<pre> | <pre> | ||
$ rpm -K *.rpm | $ rpm -K *.rpm | ||
Line 43: | Line 31: | ||
Some files (e.g. precreated OS templates) are also signed by the GPG key. Unlike RPMS, they do not contain the signature inside the file, but rather there is a separate small <tt>.asc</tt> file available. | Some files (e.g. precreated OS templates) are also signed by the GPG key. Unlike RPMS, they do not contain the signature inside the file, but rather there is a separate small <tt>.asc</tt> file available. | ||
− | + | == Importing the public key == | |
− | First, you need to import OpenVZ public key to your GnuPG keychain. You can either import a local file, or search for the key on one of the public keyservers | + | First, you need to import OpenVZ public key to your GnuPG keychain. You can either import a local file, or search for the key on one of the public keyservers. |
− | + | Local file: | |
<pre> | <pre> | ||
$ gpg --import RPM-GPG-Key-OpenVZ | $ gpg --import RPM-GPG-Key-OpenVZ | ||
</pre> | </pre> | ||
− | + | From the default keyserver: | |
<pre> | <pre> | ||
− | $ gpg --search-keys | + | [kir@kir ~]$ gpg --search-keys OpenVZ |
− | gpg: searching for " | + | gpg: searching for "OpenVZ" from hkp server subkeys.pgp.net |
− | (1) OpenVZ Project <security@openvz.org> | + | (1) OpenVZ Project <security@openvz.org> |
− | + | 1024 bit DSA key A7A1D4B6, created: 2005-09-14 | |
− | Keys 1-1 of 1 for " | + | Keys 1-1 of 1 for "OpenVZ". Enter number(s), N)ext, or Q)uit > 1 |
− | gpg: requesting key A7A1D4B6 from hkp server | + | gpg: requesting key A7A1D4B6 from hkp server subkeys.pgp.net |
− | + | ... | |
− | |||
− | |||
</pre> | </pre> | ||
− | + | From the pgp.mit.edu keyserver: | |
<pre> | <pre> | ||
$ gpg --keyserver pgp.mit.edu --search-keys OpenVZ | $ gpg --keyserver pgp.mit.edu --search-keys OpenVZ | ||
Line 72: | Line 58: | ||
Enter number(s), N)ext, or Q)uit > 1 | Enter number(s), N)ext, or Q)uit > 1 | ||
gpg: requesting key A7A1D4B6 from hkp server pgp.mit.edu | gpg: requesting key A7A1D4B6 from hkp server pgp.mit.edu | ||
− | |||
</pre> | </pre> | ||
− | + | == Checking the signature == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | Assuming you want to check the signature of <tt>centos-4-i386-default.tar.gz</tt> file: | + | To check the signature, you need to have both the main file (e.g. the template tarball) and the signature file (the one which ends in <tt>.asc</tt>. Assuming you want to check the signature of <tt>centos-4-i386-default.tar.gz</tt> file: |
<pre> | <pre> | ||
$ gpg --verify centos-4-i386-default.tar.gz.asc | $ gpg --verify centos-4-i386-default.tar.gz.asc |