Puppet signs most of its packages, Ruby gems, and release tarballs with GNU Privacy Guard (GPG). This signature proves that the packages originate from Puppet and have not been compromised. Security-conscious users can use GPG to verify package signatures.
-
If you install from the Puppet Yum and Apt repositories, the release package that enables the repository also installs our release signing key. The Yum and Apt tools automatically verify the integrity of packages as you install them.
-
If you install a Windows agent using an .msi package, the Windows installer automatically verifies the signature before installing the package.
- Verify a source tarball or gem
You can manually verify the signature for Puppet source tarballs or Ruby gems. - Verify an RPM package
RPM packages include an embedded signature, which you can verify after importing the Puppet public key. - Verify a macOS puppet-agent package
puppet-agent
packages for macOS are signed with a developer ID and certificate. You can verify the package signature using thepkgutil
tool or the installer.