Digital Signatures
OpenPKG OpenPGP Public Keys
The OpenPKG organizations for security reasons use OpenPGP public key cryptography technology to digitally sign OpenPKG Security Advisories and RELEASE grade OpenPKG RPM packages. For this the following three official OpenPGP public keys are currently used by its corresponding organizations:- OpenPKG <openpkg@openpkg.org>
Download-URL: http://openpkg.org/openpkg.org.pgp Keyserver-URL: http://pgp.openpkg.org/pks/lookup?op=get&search=0×63C4CB9F Instance-File: prefix/etc/openpkg/openpkg.org.pgp Instance-Package: gpg-pubkey-63c4cb9f-3c591eda Fingerprint: 6D96 EFCF CF75 3288 10DB
40C2 8075 93E0 63C4 CB9F - OpenPKG GmbH <openpkg@openpkg.com>
Download-URL: http://openpkg.com/openpkg.com.pgp Keyserver-URL: http://pgp.openpkg.org/pks/lookup?op=get&search=0×61B7AE34 Instance-File: prefix/etc/openpkg/openpkg.com.pgp Instance-Package: gpg-pubkey-61b7ae34-4544a6af Fingerprint: 7D12 1A8F C05D C18A 4329
E9EF 6704 2EC9 61B7 AE34 - OpenPKG Foundation e.V. <openpkg@openpkg.net>
Download-URL: http://openpkg.net/openpkg.net.pgp Keyserver-URL: http://pgp.openpkg.org/pks/lookup?op=get&search=0×52197903 Instance-File: prefix/etc/openpkg/openpkg.net.pgp Instance-Package: gpg-pubkey-52197903-4544a74d Fingerprint: 3BD1 0E11 71B2 2598 D770
8C48 AEBE 7645 5219 7903
Verifying Digital Signatures
The OpenPKG organizations use the GnuPG implementation of the OpenPGP technologies for dealing with public key cryptography. In order to verify the digital signature of any OpenPKG Security Advisory or OpenPKG RPM package file, follow these steps:Software Prerequisites
- OpenPKG RPM
OpenPKG has the capability to check signed OpenPKG RPM packages using
the built-in BeeCrypt cryptography technology. The OpenPKG OpenPGP public keys
are preinstalled into every OpenPKG instance and appear in the RPM database as if
they were parallel installed versions of the real RPM package gpg-pubkey. You
can verify their existance with:
$ prefix/bin/openpkg rpm -q gpg-pubkey
The output should contain at least:gpg-pubkey-63c4cb9f-3c591eda gpg-pubkey-61b7ae34-4544a6af gpg-pubkey-52197903-4544a74d
To just verify OpenPKG RPM packages, nothing more is needed. Separate OpenPGP cryptography software is needed when verifying OpenPKG Security Advisory texts or to sign OpenPKG RPM packages, however. - OpenPKG GnuPG
GnuPG is the preferred tool for working with OpenPGP.
For this you have to install the OpenPKG gnupg package and
make sure the program gpg is in
your $PATH. You can achieve all of this
with the following two commands:
$ prefix/bin/openpkg build gpg | sh $ eval `prefix/bin/openpkg rc --eval openpkg env`
Import the OpenPKG OpenPGP public keys
You can import the three OpenPGP public keysinto your personal key ring in one of the following ways:
- From the official download location (preference):
$ gpg --fetch-keys \ http://openpkg.org/openpkg.org.pgp \ http://openpkg.com/openpkg.com.pgp \ http://openpkg.net/openpkg.net.pgp
- From the official OpenPKG keyserver (alternative):
$ gpg --recv-keys --keyserver pgp.openpkg.org \ 63C4CB9F 61B7AE34 52197903
- From an already existing OpenPKG instance (convinience):
$ gpg --import \ prefix/etc/openpkg/openpkg.*.pgp
Verify the integrity of the imported OpenPKG public keys
You should always make sure the imported public keys are the correct ones by at least verifying its so-called "fingerprint". For this run the following command:$ gpg --fingerprint \ openpkg@openpkg.org \ openpkg@openpkg.com \ openpkg@openpkg.netEnsure that it prints the following three fingerprints:
6D96 EFCF CF75 3288 10DB 40C2 8075 93E0 63C4 CB9F 7D12 1A8F C05D C18A 4329 E9EF 6704 2EC9 61B7 AE34 3BD1 0E11 71B2 2598 D770 8C48 AEBE 7645 5219 7903
Sign the OpenPKG OpenPGP public keys
If the fingerprints are ok, you usually want to either sign the keys with your own private key (assuming you already have it created once with "gpg --gen-key") or at least mark it explicitly as trusted in the GnuPG trust database.- Sign the public keys (preference):
$ gpg --sign-key 63C4CB9F $ gpg --sign-key 61B7AE34 $ gpg --sign-key 52197903
- Mark the public keys as trusted (alternative):
gpg --update-trustdb \ --trusted-key 807593E063C4CB9F \ --trusted-key 67042EC961B7AE34 \ --trusted-key AEBE764552197903(for security reasons you have to use less abbreviated fingerprints here)
Verify the security advisory or distribution files
After building and installing GnuPG and integrating the OpenPKG public key, the integrity and authenticity of OpenPKG Security Advisories and OpenPKG RPM package files may be easily verified.- OpenPKG Security Advisory Verification:
To verify a security advisory, pipe the message through the
command "gpg --verify":
$ gpg --verify OpenPKG-SA-200X.XXX-xxxx.txt
Ensure that it successfully responds with one(!) of the following three possible results: gpg: Good signature from "OpenPKG <openpkg@openpkg.org>"
gpg: Good signature from "OpenPKG GmbH <openpkg@openpkg.com>"
gpg: Good signature from "OpenPKG Foundation e.V. <openpkg@openpkg.net>" If instead it responds with (or something else): gpg: BAD signature from… then it is a clear indication that the security advisory text is invalid and not certified by one of the OpenPKG organizations. Notice: for verification you have to use the Plain Text (.txt) version of OpenPKG Security Advisories instead of the HTML (.html). The Plain Text versions are referenced on the right hand side of every Security Advisory HTML page. Or simply replace the extension .html with .txt in the URLs of the Security Advisories. - OpenPKG RPM Package File Verification:
To verify an OpenPKG RPM package file name.rpm (either source or
binary), run the following command on it:
$ openpkg rpm -v --checksig name.rpm
Ensure that it successfully responds with: name.rpm: name.rpm:
Header V3 DSA signature: OK
Header SHA1 digest: OK
MD5 digest: OK
V3 DSA signature: OK If instead it responds with the text NOT OK rather than OK or anything else for that matter, then it is a clear indication that the OpenPKG RPM package file is invalid and not certified by any of the OpenPKG organizations. Notice: the "digest" information above corresponds to the RPM package integrity and exists always. The "signature" information corresponds to the RPM package digital signature and exists only if the RPM package was digitally signed at all.
