You can manually verify the signature for Puppet source tarballs or Ruby gems.
-
Import the public key:
gpg --keyserver pgp.mit.edu --recv-key 7F438280EF8D349FThe key is also available via HTTP.Tip: If this is your first time running the gpg tool, it might fail to import the key after creating its configuration file and keyring. You can run the command a second time to import the key into your newly created keyring.The gpg tool imports the key:gpg: requesting key EF8D349F from hkp server pgp.mit.edu gpg: /home/username/.gnupg/trustdb.gpg: trustdb created gpg: key EF8D349F: public key "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) -
Verify the fingerprint:
gpg --list-key --fingerprint 7F438280EF8D349FThe fingerprint of the Puppet release signing key is 6F6B 1550 9CF8 E59E 6E46 9F32 7F43 8280 EF8D 349F. Ensure the fingerprint listed matches this value.
-
Download the tarball or gem and its corresponding
.ascfile from https://downloads.puppet.com/puppet/. -
Verify the tarball or gem,
replacing <VERSION> with the Puppet
version number, and <FILE TYPE> with
tar.gzfor a tarball orgemfor a Ruby gem:gpg --verify puppet-<VERSION>.<FILE TYPE>.asc puppet-<VERSION>.<FILE TYPE>The output confirms that the signature matches:gpg: Signature made Mon 19 Sep 2016 04:58:29 PM UTC using RSA key ID EF8D349F gpg: Good signature from "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>"Tip: If you haven't set up a trust path to the key, you receive a warning that the key is not certified. If you’ve verified the fingerprint of the key, GPG has verified the archive’s integrity; the warning simply means that GPG can’t automatically prove the key’s ownership.