RPM packages include an embedded signature, which you can verify after importing the Puppet public key.
-
Import the public key:
gpg --keyserver pgp.mit.edu --recv-key 7F438280EF8D349F
The key is also available via HTTP.Tip: If this is your first time running the gpg tool, it might fail to import the key after creating its configuration file and keyring. You can run the command a second time to import the key into your newly created keyring.The gpg tool imports the key:gpg: requesting key EF8D349F from hkp server pgp.mit.edu gpg: /home/username/.gnupg/trustdb.gpg: trustdb created gpg: key EF8D349F: public key "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
-
Verify the fingerprint:
gpg --list-key --fingerprint 7F438280EF8D349F
The fingerprint of the Puppet release signing key is 6F6B 1550 9CF8 E59E 6E46 9F32 7F43 8280 EF8D 349F. Ensure the fingerprint listed matches this value.
- Retrieve the Puppet public key and place it in a file on your node.
-
Use the RPM tool to import the public key,
replacing <PUBLIC KEY FILE> with the path to the file containing
the public key:
sudo rpm --import PUBKEY <PUBLIC KEY FILE>
The RPM tool doesn’t output anything if the command is successful.
-
Use the RPM tool to check the signature of a
downloaded RPM package:
sudo rpm -vK <RPM_FILE_NAME>
The embedded signature is verified and displays OK:puppet-agent-1.5.1-1.el6.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID ef8d349f: OK Header SHA1 digest: OK (95b492a1fff452d029aaeb59598f1c78dbfee0c5) V4 RSA/SHA512 Signature, key ID ef8d349f: OK MD5 digest: OK (4878909ccdd0af24fa9909790dd63a12)