Difference between revisions of "Package signatures"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
(Filled in Checking RPM packages)
(Filled in Checking files)
Line 20: Line 20:
  
 
== Checking files ==
 
== Checking files ==
 +
 +
Some files (e.g. precreated OS templates) are also signed by the GPG key. Unlike RPMS, they do not contain the signature inside the file, but rather there is a separate small <tt>.asc</tt> file available.
 +
 +
== Importing the public key ==
 +
First, you need to import OpenVZ public key to your GnuPG keychain. You can either import a local file, or search for the key on one of the public keyservers.
 +
 +
Local file:
 +
<pre>
 +
$ gpg --import RPM-GPG-Key-OpenVZ
 +
</pre>
 +
 +
From the default keyserver:
 +
<pre>
 +
[kir@kir ~]$ gpg --search-keys OpenVZ
 +
gpg: searching for "OpenVZ" from hkp server subkeys.pgp.net
 +
(1)    OpenVZ Project <security@openvz.org>
 +
          1024 bit DSA key A7A1D4B6, created: 2005-09-14
 +
Keys 1-1 of 1 for "OpenVZ".  Enter number(s), N)ext, or Q)uit > 1
 +
gpg: requesting key A7A1D4B6 from hkp server subkeys.pgp.net
 +
...
 +
</pre>
 +
 +
From the pgp.mit.edu keyserver:
 +
<pre>
 +
$ gpg --keyserver pgp.mit.edu --search-keys OpenVZ
 +
gpg: searching for "OpenVZ" from hkp server pgp.mit.edu
 +
(1)    OpenVZ Project <security@openvz.org>
 +
          1024 bit DSA key A7A1D4B6, created: 2005-09-14
 +
Enter number(s), N)ext, or Q)uit > 1
 +
gpg: requesting key A7A1D4B6 from hkp server pgp.mit.edu
 +
</pre>
 +
 +
== Checking the signature ==
 +
 +
To check the signature, you need to have both the main file (e.g. the template tarball) and the signature file (the one which ends in <tt>.asc</tt>. Assuming you want to check the signature of <tt>centos-4-i386-default.tar.gz</tt> file:
 +
<pre>
 +
$ gpg --verify centos-4-i386-default.tar.gz.asc
 +
</pre>
 +
You should see something like this:
 +
<pre>
 +
gpg: Signature made Wed Dec 14 19:13:53 2005 MSK using DSA key ID A7A1D4B6
 +
gpg: Good signature from "OpenVZ Project <security@openvz.org>"
 +
</pre>
  
 
[[Category: Infrastructure]]
 
[[Category: Infrastructure]]
 
[[Category: Security]]
 
[[Category: Security]]

Revision as of 10:15, 13 June 2006

All the packages that are released by OpenVZ project are digitally signed by OpenVZ GPG key. Thus, you can check that those packages are indeed came from OpenVZ.

Public and private keys

There is a pair of keys generated for the purpose of signing and verifying the signature.

Private key is the key that is available to OpenVZ stuff only and is protected by the passphrase. This key is used for signing the packages, so nobody else but OpenVZ stuff can sign them using this key.

Public key is the key that is available to everyone and can be obtained from a number of places (e.g. MIT keyserver — search for OpenVZ). Public key is used to verify the signature.

Checking RPM packages

In order to check OpenVZ RPM package signatures, you need to import OpenVZ public key to your RPM database. To that effect, do the following:

# rpm --import RPM-GPG-Key-OpenVZ

Then, to check the packages, use this command:

$ rpm -K *.rpm

Here *.rpm are some RPM packages.

Checking files

Some files (e.g. precreated OS templates) are also signed by the GPG key. Unlike RPMS, they do not contain the signature inside the file, but rather there is a separate small .asc file available.

Importing the public key

First, you need to import OpenVZ public key to your GnuPG keychain. You can either import a local file, or search for the key on one of the public keyservers.

Local file:

$ gpg --import RPM-GPG-Key-OpenVZ

From the default keyserver:

[kir@kir ~]$ gpg --search-keys OpenVZ
gpg: searching for "OpenVZ" from hkp server subkeys.pgp.net
(1)     OpenVZ Project <security@openvz.org>
          1024 bit DSA key A7A1D4B6, created: 2005-09-14
Keys 1-1 of 1 for "OpenVZ".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key A7A1D4B6 from hkp server subkeys.pgp.net
...

From the pgp.mit.edu keyserver:

$ gpg --keyserver pgp.mit.edu --search-keys OpenVZ
gpg: searching for "OpenVZ" from hkp server pgp.mit.edu
(1)     OpenVZ Project <security@openvz.org>
          1024 bit DSA key A7A1D4B6, created: 2005-09-14
Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key A7A1D4B6 from hkp server pgp.mit.edu

Checking the signature

To check the signature, you need to have both the main file (e.g. the template tarball) and the signature file (the one which ends in .asc. Assuming you want to check the signature of centos-4-i386-default.tar.gz file:

$ gpg --verify centos-4-i386-default.tar.gz.asc

You should see something like this:

gpg: Signature made Wed Dec 14 19:13:53 2005 MSK using DSA key ID A7A1D4B6
gpg: Good signature from "OpenVZ Project <security@openvz.org>"