Security information about the VDT's Signed RPMs

Verifying the VDT RPMs

We use a GPG key to sign our software packages. Normally yum and rpm transparently use the GPG signatures to verify the packages have not been corrupted and were created by us. You get our GPG public key when you install the osg-release RPM.

If you wish to verify one of our RPMs manually, you can run:

[user@client ~]$ rpm --checksig -v name.rpm

For example:

[user@client ~]$ rpm --checksig -v globus-core-8.0-2.osg.x86_64.rpm 
    Header V3 DSA signature: OK, key ID 824b8603
    Header SHA1 digest: OK (2b5af4348c548c27f10e2e47e1ec80500c4f85d7)
    MD5 digest: OK (d11503a229a1a0e02262034efe0f7e46)
    V3 DSA signature: OK, key ID 824b8603

The VDT Packaging Signing Key

Location /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG
Download #1 Twiki
Download #2 UW-Madison
Fingerprint 6459 D9D2 AAA9 AB67 A251  FB44 2110 B1C8 824B 8603
Key ID 824b8603

You can see the fingerprint for yourself:

[user@client ~]$  gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG
pub  1024D/824B8603 2011-09-15 OSG Software Team (RPM Signing Key for Koji Packages) 
      Key fingerprint = 6459 D9D2 AAA9 AB67 A251  FB44 2110 B1C8 824B 8603
sub  2048g/28E5857C 2011-09-15
Topic revision: r7 - 07 Feb 2017 - 20:23:14 - BrianBockelman
Hello, TWikiGuest!


TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..