594
edits
Changes
no edit summary
OpenVz7 packages are the same binaries as Virtuozzo7 and signed by Virtuozzo GPG key
[http://repo.virtuozzo.com/vzlinux/security/VIRTUOZZO_GPG_KEY]
Info below is related to OpenVz legacy packages.
All the packages that are released by OpenVZ project are digitally signed by OpenVZ GPG key. Thus, you can check that those packages are indeed came from OpenVZ.
OpenVZ public key is available from the several sources. We urge you to use a few different sources because chances are lower they all can be compromised at the same time.
* [http://old.openvz.org/download/RPM-GPG-Key-OpenVZ.txt RPM-GPG-Key-OpenVZ] Main Old main site
* [http://download.openvz.org/RPM-GPG-Key-OpenVZ RPM-GPG-Key-OpenVZ] Download site
* [http://pgpkeys.pca.dfn.de/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] wwwkeys.de.pgp.net
* [http://keys.keysigning.org:11371/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] keys.keysigning.org
* [http://pgp.surfnet.nl:11371/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] pgp.surfnet.nl
* [http://keys.gnupg.net/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] keys.gnupg.net
* [http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] pool.sks-keyservers.net
* [http://keys.nayr.net:11371/pks/lookup?op=get&search=0x92A60DA6A7A1D4B6 RPM-GPG-Key-OpenVZ] keys.nayr.net
Key fingerprint = DEAB A031 F0A1 8848 9D71 01D2 92A6 0DA6 A7A1 D4B6
== Checking RPM packages ==
RPM package manager has a build-in GPG signatures support. Signatures are embedded into the .rpm files, and public keys are stored in an rpm database . In order to check OpenVZ RPM package signatures, you need to import OpenVZ public key to your RPM database. To that effect, do the following (usually you are required to be root):
<pre>
# rpm --import RPM-GPG-Key-OpenVZ
=== Importing the public key ===
First, you need to import OpenVZ public key to your GnuPG keychain. You can either import a local file, or search for the key on one of the public keyservers. Second, you should verify the key against the fingerprint.
==== From a local file ====
==== From the default keyserver ====
<pre>
$ gpg --search-keys OpenVZsecurity@openvz.orggpg: searching for "OpenVZsecurity@openvz.org" from hkp server subkeyskeys.pgpgnupg.net(1) OpenVZ Project <security@openvz.org> 1024 bit DSA key A7A1D4B6, created: 2005-09-14Keys 1-1 of 1 for "OpenVZsecurity@openvz.org". Enter number(s), N)ext, or Q)uit > 1gpg: requesting key A7A1D4B6 from hkp server subkeyskeys.pgpgnupg.netgpg: key A7A1D4B6: public key "OpenVZ Project <security@openvz...org>" importedgpg: Total number processed: 1gpg: imported: 1
</pre>
gpg: requesting key A7A1D4B6 from hkp server pgp.mit.edu
...
</pre>
==== Checking the imported key fingerprint ====
<pre>
$ gpg --fingerprint A7A1D4B6
pub 1024D/A7A1D4B6 2005-09-14
Key fingerprint = DEAB A031 F0A1 8848 9D71 01D2 92A6 0DA6 A7A1 D4B6
uid OpenVZ Project <security@openvz.org>
sub 1024g/FCF77DF7 2009-02-06
</pre>
=== Checking the signature ===
To check the signature, you need to have both the main file (e.g. the template tarball) and the signature file (the one which ends in <tt>.asc</tt>). Assuming you want to check the signature of <tt>centos-4-i386-default.tar.gz</tt> file:
<pre>
$ gpg --verify centos-4-i386-default.tar.gz.asc
