Difference between revisions of "Package signatures"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
(OpenVZ public key: added pgp.surfnet.nl)
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
OpenVz7 packages are the same binaries as Virtuozzo7 and signed by Virtuozzo GPG key
 +
[http://repo.virtuozzo.com/vzlinux/security/VIRTUOZZO_GPG_KEY]
 +
 +
Info below is related to OpenVz legacy packages.
 +
 
All the packages that are released by OpenVZ project are digitally signed by OpenVZ GPG key. Thus, you can check that those packages are indeed came from OpenVZ.
 
All the packages that are released by OpenVZ project are digitally signed by OpenVZ GPG key. Thus, you can check that those packages are indeed came from OpenVZ.
  
Line 11: Line 16:
 
OpenVZ public key is available from the several sources. We urge you to use a few different sources because chances are lower they all can be compromised at the same time.
 
OpenVZ public key is available from the several sources. We urge you to use a few different sources because chances are lower they all can be compromised at the same time.
  
* [http://openvz.org/download/RPM-GPG-Key-OpenVZ.txt RPM-GPG-Key-OpenVZ] Main site
+
* [http://old.openvz.org/download/RPM-GPG-Key-OpenVZ.txt RPM-GPG-Key-OpenVZ] Old main site
 
* [http://download.openvz.org/RPM-GPG-Key-OpenVZ RPM-GPG-Key-OpenVZ] Download site
 
* [http://download.openvz.org/RPM-GPG-Key-OpenVZ RPM-GPG-Key-OpenVZ] Download site
 
* [http://pgpkeys.pca.dfn.de/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] wwwkeys.de.pgp.net
 
* [http://pgpkeys.pca.dfn.de/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] wwwkeys.de.pgp.net
Line 17: Line 22:
 
* [http://keys.keysigning.org:11371/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] keys.keysigning.org
 
* [http://keys.keysigning.org:11371/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] keys.keysigning.org
 
* [http://pgp.surfnet.nl:11371/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] pgp.surfnet.nl
 
* [http://pgp.surfnet.nl:11371/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] pgp.surfnet.nl
 +
* [http://keys.gnupg.net/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] keys.gnupg.net
 +
* [http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] pool.sks-keyservers.net
 +
* [http://keys.nayr.net:11371/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] keys.nayr.net
 +
 
Key fingerprint = DEAB A031 F0A1 8848 9D71  01D2 92A6 0DA6 A7A1 D4B6
 
Key fingerprint = DEAB A031 F0A1 8848 9D71  01D2 92A6 0DA6 A7A1 D4B6
  
 
== Checking RPM packages ==
 
== Checking RPM packages ==
RPM package manager has a build-in GPG signatures support. Signatures are embedded into the .rpm files, and public keys are stored in an rpm database In order to check OpenVZ RPM package signatures, you need to import OpenVZ public key to your RPM database. To that effect, do the following (usually you are required to be root):
+
RPM package manager has a build-in GPG signatures support. Signatures are embedded into the .rpm files, and public keys are stored in an rpm database. In order to check OpenVZ RPM package signatures, you need to import OpenVZ public key to your RPM database. To that effect, do the following (usually you are required to be root):
 
<pre>
 
<pre>
 
# rpm --import RPM-GPG-Key-OpenVZ
 
# rpm --import RPM-GPG-Key-OpenVZ
Line 35: Line 44:
  
 
=== Importing the public key ===
 
=== Importing the public key ===
First, you need to import OpenVZ public key to your GnuPG keychain. You can either import a local file, or search for the key on one of the public keyservers.
+
First, you need to import OpenVZ public key to your GnuPG keychain. You can either import a local file, or search for the key on one of the public keyservers. Second, you should verify the key against the fingerprint.
  
 
==== From a local file ====
 
==== From a local file ====
Line 44: Line 53:
 
==== From the default keyserver ====
 
==== From the default keyserver ====
 
<pre>
 
<pre>
$ gpg --search-keys OpenVZ
+
$ gpg --search-keys security@openvz.org
gpg: searching for "OpenVZ" from hkp server subkeys.pgp.net
+
gpg: searching for "security@openvz.org" from hkp server keys.gnupg.net
(1)     OpenVZ Project <security@openvz.org>
+
(1) OpenVZ Project <security@openvz.org>
          1024 bit DSA key A7A1D4B6, created: 2005-09-14
+
  1024 bit DSA key A7A1D4B6, created: 2005-09-14
Keys 1-1 of 1 for "OpenVZ".  Enter number(s), N)ext, or Q)uit > 1
+
Keys 1-1 of 1 for "security@openvz.org".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key A7A1D4B6 from hkp server subkeys.pgp.net
+
gpg: requesting key A7A1D4B6 from hkp server keys.gnupg.net
...
+
gpg: key A7A1D4B6: public key "OpenVZ Project <security@openvz.org>" imported
 +
gpg: Total number processed: 1
 +
gpg:              imported: 1
 
</pre>
 
</pre>
  
Line 62: Line 73:
 
gpg: requesting key A7A1D4B6 from hkp server pgp.mit.edu
 
gpg: requesting key A7A1D4B6 from hkp server pgp.mit.edu
 
...
 
...
 +
</pre>
 +
 +
==== Checking the imported key fingerprint ====
 +
<pre>
 +
$ gpg --fingerprint A7A1D4B6
 +
pub  1024D/A7A1D4B6 2005-09-14
 +
      Key fingerprint = DEAB A031 F0A1 8848 9D71  01D2 92A6 0DA6 A7A1 D4B6
 +
uid                  OpenVZ Project <security@openvz.org>
 +
sub  1024g/FCF77DF7 2009-02-06
 
</pre>
 
</pre>
  
 
=== Checking the signature ===
 
=== Checking the signature ===
  
To check the signature, you need to have both the main file (e.g. the template tarball) and the signature file (the one which ends in <tt>.asc</tt>. Assuming you want to check the signature of <tt>centos-4-i386-default.tar.gz</tt> file:
+
To check the signature, you need to have both the main file (e.g. the template tarball) and the signature file (the one which ends in <tt>.asc</tt>).
 +
 
 +
Assuming you want to check the signature of <tt>centos-4-i386-default.tar.gz</tt> file:
 
<pre>
 
<pre>
 
$ gpg --verify centos-4-i386-default.tar.gz.asc
 
$ gpg --verify centos-4-i386-default.tar.gz.asc

Latest revision as of 06:01, 17 July 2020

OpenVz7 packages are the same binaries as Virtuozzo7 and signed by Virtuozzo GPG key [1]

Info below is related to OpenVz legacy packages.

All the packages that are released by OpenVZ project are digitally signed by OpenVZ GPG key. Thus, you can check that those packages are indeed came from OpenVZ.

Public and private keys[edit]

There is a pair of keys generated for the purpose of signing and verifying the signature.

Private key is the key that is available to OpenVZ stuff only and is protected by the passphrase. This key is used for signing the packages, so nobody else but OpenVZ stuff can sign them using this key.

Public key is the key that is available to everyone and can usually be obtained from a number of different places. Public key is used to verify the signature.

OpenVZ public key[edit]

OpenVZ public key is available from the several sources. We urge you to use a few different sources because chances are lower they all can be compromised at the same time.

Key fingerprint = DEAB A031 F0A1 8848 9D71 01D2 92A6 0DA6 A7A1 D4B6

Checking RPM packages[edit]

RPM package manager has a build-in GPG signatures support. Signatures are embedded into the .rpm files, and public keys are stored in an rpm database. In order to check OpenVZ RPM package signatures, you need to import OpenVZ public key to your RPM database. To that effect, do the following (usually you are required to be root):

# rpm --import RPM-GPG-Key-OpenVZ

Then, to check the packages, use this command (root is not needed):

$ rpm -K *.rpm

Here *.rpm are some RPM packages.

Checking files[edit]

Some files (e.g. precreated OS templates) are also signed by the GPG key. Unlike RPMS, they do not contain the signature inside the file, but rather there is a separate small .asc file available.

Importing the public key[edit]

First, you need to import OpenVZ public key to your GnuPG keychain. You can either import a local file, or search for the key on one of the public keyservers. Second, you should verify the key against the fingerprint.

From a local file[edit]

$ gpg --import RPM-GPG-Key-OpenVZ

From the default keyserver[edit]

$ gpg --search-keys security@openvz.org
gpg: searching for "security@openvz.org" from hkp server keys.gnupg.net
(1)	OpenVZ Project <security@openvz.org>
	  1024 bit DSA key A7A1D4B6, created: 2005-09-14
Keys 1-1 of 1 for "security@openvz.org".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key A7A1D4B6 from hkp server keys.gnupg.net
gpg: key A7A1D4B6: public key "OpenVZ Project <security@openvz.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

From the pgp.mit.edu keyserver[edit]

$ gpg --keyserver pgp.mit.edu --search-keys OpenVZ
gpg: searching for "OpenVZ" from hkp server pgp.mit.edu
(1)     OpenVZ Project <security@openvz.org>
          1024 bit DSA key A7A1D4B6, created: 2005-09-14
Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key A7A1D4B6 from hkp server pgp.mit.edu
...

Checking the imported key fingerprint[edit]

$ gpg --fingerprint A7A1D4B6
pub   1024D/A7A1D4B6 2005-09-14
      Key fingerprint = DEAB A031 F0A1 8848 9D71  01D2 92A6 0DA6 A7A1 D4B6
uid                  OpenVZ Project <security@openvz.org>
sub   1024g/FCF77DF7 2009-02-06

Checking the signature[edit]

To check the signature, you need to have both the main file (e.g. the template tarball) and the signature file (the one which ends in .asc).

Assuming you want to check the signature of centos-4-i386-default.tar.gz file:

$ gpg --verify centos-4-i386-default.tar.gz.asc

You should see something like this:

gpg: Signature made Wed Dec 14 19:13:53 2005 MSK using DSA key ID A7A1D4B6
gpg: Good signature from "OpenVZ Project <security@openvz.org>"