OpenPKG Corporation
OpenPKG CorporationSecurityDigital Signatures

Digital Signatures

OpenPKG OpenPGP Public Keys

The OpenPKG organizations for security reasons use OpenPGP public key cryptography technology to digitally sign OpenPKG Security Advisories and RELEASE grade OpenPKG RPM packages. For this the following three official OpenPGP public keys are currently used by its corresponding organizations:

Verifying Digital Signatures

The OpenPKG organizations use the GnuPG implementation of the OpenPGP technologies for dealing with public key cryptography. In order to verify the digital signature of any OpenPKG Security Advisory or OpenPKG RPM package file, follow these steps:

Software Prerequisites

Import the OpenPKG OpenPGP public keys

You can import the three OpenPGP public keys
into your personal key ring in one of the following ways:

Verify the integrity of the imported OpenPKG public keys

You should always make sure the imported public keys are the correct ones by at least verifying its so-called "fingerprint". For this run the following command:

$ gpg --fingerprint \
  openpkg@openpkg.org \
  openpkg@openpkg.com \
  openpkg@openpkg.net

Ensure that it prints the following three fingerprints:

6D96 EFCF CF75 3288 10DB 40C2 8075 93E0 63C4 CB9F
7D12 1A8F C05D C18A 4329 E9EF 6704 2EC9 61B7 AE34
3BD1 0E11 71B2 2598 D770 8C48 AEBE 7645 5219 7903

Sign the OpenPKG OpenPGP public keys

If the fingerprints are ok, you usually want to either sign the keys with your own private key (assuming you already have it created once with "gpg --gen-key") or at least mark it explicitly as trusted in the GnuPG trust database.

Verify the security advisory or distribution files

After building and installing GnuPG and integrating the OpenPKG public key, the integrity and authenticity of OpenPKG Security Advisories and OpenPKG RPM package files may be easily verified.

Validation: XHTML | CSS