2.6. Verifying packages
All of our DEB and RPM packages are signed with our GPG key.
All packages are signed by our GPG public key, available at http://trisul.org/pubkey.gpg
2.6.1 Verify a rpm
The steps are
- Import our public key
rpm --import http://trisul.org/pubkey.gpg
- Verify using
rpm --checksig trisulpackage.rpm
Look for the OK message.
A sample verify session would look like below
[root@localhost ~]# rpm --import http://trisul.org/pubkey.gpg
[root@localhost ~]# rpm --checksig webtrisul-3.0.1065-0.el6.x86_64.rpm
webtrisul-3.0.1065-0.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
The RPM verification was successful if you see the status end with pgp md5 OK
2.6.2 Verify a deb
You will be using a package called dpkg-sig
to verify the DEBs. Make sure it is installed first.
The steps are :
- Import our public key into your key ring using
gpg --import pubkey.gpg
- Verify using
dpkg-sig --verify pkg.deb
A sample verify session would look like below
nsmdemo@ubu22:~$ wget http://trisul.org/pubkey.gpg
nsmdemo@ubu22:~$ gpg --import pubkey.gpg
gpg: key A6CC1B18: public key "Unleash Networks Support (UNPL) <info@unleashnetworks.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
nsmdemo@ubu22:~$ dpkg-sig --verify trisul_3.0.1316_i386.deb
Processing trisul_3.0.1316_i386.deb...
GOODSIG _gpgbuilder 3024CAB9A68659FE4E4E3A0639A67B00A6CC1B18 1367065944
The output of dpkg-sig —verify must start with GOODSIG
The verification was successful if you see the status line start with GOODSIG