Public PGP/GPG Key

This is the public PGP/GPG Key that can be used to verify the Cloudamize signature.

  1. -----BEGIN PGP PUBLIC KEY BLOCK-----
  2. mQINBF4gygYBEADLjQxFz58NHDLOIXzvcMeI5S0nvgBexkFYNAS/T7gyqNSQMpOZ
  3. L50zYh2AN8nGDIuhOI0uIedZ2VjxZ+r4R2EwruVhUZUrfxTphoE5NlG8BqfyLkN5
  4. sC67XtwIWCgL3qYilZR+8YrDWLsfKPiLxsW+/KtW2lafJ7UMr0L/uLC7fKnKrAD1
  5. Q/dSqx+2FO19W5eigifLRM5QJcl5WjDROLcSpv5fwN12OK00gGXlI5qLL5NgGuIt
  6. 3+Jn23fUojOWGxX3e49vGjAaY3bmra+HxZQZdpvKxi4We61nQ7fao91+JMLhZ4a+
  7. DOA0gIDSNFpbMLXeQUHQTROR4RSJtmNFcMw9UhOgs93/muCO5KtBPmmjpAr0zmH0
  8. /t5RjEjrR7QMS2gtBd2+Nn1Ez6LLujAr1jh+w1eEd8TqM93Zyc6gAF/CRGMYaT67
  9. SUF0x0Aa8CuyxlDo+PNRRvzTx9UJ88nmY+3AKPAvyxBSHz00AsBNQfA7ulHcrWLf
  10. O3m8h2mntTOeYkeUEqUJnO1RokmMfk1Kzl7aWCxi+fpYSC7RPr1VXEES5tIO6U7q
  11. OC8zOxix84ri5E+Tx8CkumNMHvPwUL/UwLMD1A25OeQDXYC8fna6Z/m0zN0DJ8sh
  12. unKCfyUd67rtkzYeZCEulRVZsInpG6Cz8ME8aieaEudkhYx2FeT/3FmJiQARAQAB
  13. tCNDbG91ZGFtaXplIDxzdXBwb3J0QGNsb3VkYW1pemUuY29tPokCTgQTAQoAOBYh
  14. BELEQzzSwadycLQ+TP1OOpI/mCsfBQJeIMoGAhsDBQsJCAcCBhUKCQgLAgQWAgMB
  15. Ah4BAheAAAoJEP1OOpI/mCsfAGgQAI3ai1tI6cykEwk1P4mUw9/UVplcWWLpQ15T
  16. Vis4zXLlkzHrsgsKAiqNfV4uzEpXhM7GMrQ6I4zf6hE2gFjwJlfqq8yZu6/+gbwq
  17. IkukoBRuu3E8MhtghSGEo2HwhjK5aFEuJJTgjQ4x/cis12aZJaH7fUvmL618Zt6z
  18. uIskVNcc3F4RkGwFko9VJeoCvfCPbzyeOfD4uxgnD30VT+aLgYuxp7uMDF9E79V1
  19. NzkDHocWbUxDmr3bmajbQp5GLWTCA/dMkYH4XXLfFK1AJKqYONkvMN8Ug3C0TTva
  20. Bv2pi3zvdRWa5/uOQp/xyiXIgKRuYznXogYhw7YZA0Ov0zX7SZyxSqpdgsXsZLHf
  21. bKMPPIu6fhgfadexgZuGNHG3uqioMWiSdTS55/opKhgl5HJ3GkmFPFVk55dvCxz+
  22. doUEOFoCFMKEUHN7lRS0nQUHTo9/dbstlwaC+ELACYEKjM5pMj7TWCm9WjubEpUg
  23. JPXA4bM2u69tn3hbOICVaqqMsNDAS0RlYz6MTEyPEywyag0ZoTLf4oiC5Gq26gmL
  24. aPxWQ/UX0iQ5r+nI+Pf1llKy3NKBIGojA+6DziFW6WvVGFVYeQGxsHRldwjxoH1T
  25. WUkxbN4y0Q8vd38eKC1IkcJo7Vl6qBEnVvoWTR+5Fn76ksh3jAYBfkbEMX9zKcxN
  26. QgkFYzqv
  27. =rhj2
  28. -----END PGP PUBLIC KEY BLOCK-----

 

RPM Packages

Adding the key

RPM uses its own key management and the key can be added via:

  1. rpm --import <key_file>

 

Verifying Package

Verifying the package was signed can be done as follows:

  1. [[email protected] ~]# rpm -K cloudamize_agent.rpm
  2. rpm: rsa sha1 (md5) pgp md5 OK
  3. [[email protected] ~]# rpm -q --qf '%{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p cloudamize_agent.rpm
  4. RSA/SHA1, Wed 29 Jan 2020 07:15:38 PM UTC, Key ID fd4e3a923f982b1f (not a blob)

A bad verification (key not trusted / imported) will look like:

  1. [[email protected] ~]# rpm -K cloudamize_agent.rpm
  2. rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#3f982b1f)
  3. [[email protected] ~]# rpm -q --qf '%{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p cloudamize_agent.rpm
  4. warning: cloudamize_agent.rpm: Header V3 RSA/SHA1 Signature, key ID 3f982b1f: NOKEY
  5. RSA/SHA1, Tue 23 Jun 2020 06:17:28 PM UTC, Key ID fd4e3a923f982b1f (none)

 

DEB Packages

DEB Packages are signed with “dpkg-sig”, not “debsign”. You cannot use debsig-verify to verify the package.

Adding the key

dpkg-sig uses the gpg keyring, so to successfully verify a package, the public key needs to be imported.

  1. gpg --import <pub-key-file>

 

Verifying Package

Verifying the signature is not automatic. There are two ways to verify. One is to use dpkg-sig:

  1. [[email protected] linux-agent]# dpkg-sig --verify cloudamize_agent.deb
  2. Processing cloudamize_agent.deb...
  3. GOODSIG _gpgbuilder 42C4433CD2C1A77270B43E4CFD4E3A923F982B1F 1580325339

You can also use gpg and ar:

  1. [[email protected] ~]# mkdir deb
  2. [[email protected] ~]# mv cloudamize_agent.deb deb/
  3. [[email protected] ~]# cd deb/
  4. [[email protected] deb]# ar x cloudamize_agent.deb
  5. [[email protected] deb]# ls
  6. deb control.tar.gz  data.tar.gz  debian-binary  _gpgbuilder
  7. [[email protected] deb]# gpg --verify _gpgbuilder
  8. gpg: Signature made Wed 29 Jan 2020 07:15:39 PM UTC using RSA key ID 3F982B1F
  9. gpg: Good signature from "Cloudamize <[email protected]>"
  10. gpg: WARNING: This key is not certified with a trusted signature!
  11. gpg: There is no indication that the signature belongs to the owner.
  12. Primary key fingerprint: 42C4 433C D2C1 A772 70B4 3E4C FD4E 3A92 3F98 2B1F

The warning means you do not currently have a certificate that trusts our signing certificate, which is to be expected.

A failed verification will look like:

  1. [[email protected] deb]# gpg --verify _gpgbuilder
  2. gpg: Signature made Tue 23 Jun 2020 06:17:30 PM UTC using RSA key ID 3F982B1F
  3. gpg: Can't check signature: public key not found

 

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.