# Linux Package GPG Signing Verification

{% hint style="info" %}
The BDOT Collector's Linux packages are signed with a GPG key starting with version v1.88.1.
{% endhint %}

## Preliminary Information

Signature verification is done automatically by the collector install script, but users who wish to use the Linux packages retrieved directly, without the install script, may wish to verify the signature on the packages independently.

## GPG Verification Data

The data required to verify the signature can be downloaded using curl:

```shellscript
curl https://bdot.bindplane.com/${COLLECTOR_VERSION}/gpg-keys.tar.gz -o /tmp/bdot-gpg-keys.tar.gz
tar -xzf /tmp/bdot-gpg-keys.tar.gz -C "/tmp/gpg"
```

`gpg-keys.tar.gz` contains:

* `bdot-public-gpg-key.asc`: This is the key used to verify the signature on this version of the collector.
* `deb-revocations/`: This folder contains any historically revoked keys. These keys are included to prevent any software signed with a revoked key from successfully installing on a Debian system.
  * Currently, there are no revocations included.
* `rpm-revocation.txt`: This file contains a list of all RPM key IDs that correspond to revoked keys. These key IDs should all be erased from the RPM store to prevent software signed with a revoked key from being installed on an RPM system.
  * Currently, there are no entries in this file, since there are no revocations.

## How to Verify

### Debian

#### Apt Verification

Debian based systems with apt-get do not have a mechanism for enforcing gpg checks on locally installed packages.

#### Manual Verification

First, ensure that both `gpg` and `ar` are installed on the system.

```shellscript
command -v gpg
command -v ar
```

If either of these commands don't return anything, install the corresponding package using apt.

```shellscript
sudo apt-get update
# gpg
sudo apt-get install gpg
# ar
sudo apt-get install binutils
```

Import `bdot-public-gpg-key.asc` and any entries in `deb-revocations/` to the GPG store.

```shellscript
gpg --import "bdot-public-gpg-key.asc"
if compgen -G "$TMP_DIR/gpg/deb-revocations/*" > /dev/null; then
  for key in "$TMP_DIR/gpg/deb-revocations/"*; do
    gpg --import "$key"
  done
fi
```

Then, extract `_gpgorigin` from the collector Debian package.

```shellscript
ar x  _gpgorigin observiq-otel-collector_<VERSION>_linux_<ARCH>.deb
```

Then, verify the signature.

```shellscript
ar p observiq-otel-collector_v1.88.0_linux_amd64.deb debian-binary control.tar.gz data.tar.gz | gpg --verify _gpgorigin -
```

If satisfied with the result (the key is not present, not expired, and not revoked), alter the trust level on the imported key to increase confidence in future signature verifications.

```shellscript
gpg --list-keys
# find the BDOT collector key, identify its fingerprint 
gpg --edit-key <FINGERPRINT>
gpg> trust
# select trust level
gpg> save
```

### RPM

First, import `bdot-public-gpg-key.asc` using RPM.

<pre class="language-shellscript"><code class="lang-shellscript"><strong>sudo rpm --import "bdot-public-gpg-key.asc"
</strong></code></pre>

Ensure that the key is not expired.

Next, ensure that there are no entries in your RPM store that match an ID in `rpm-revocations.txt`

```shellscript
while IFS= read -r id; do
  sudo rpm -q "$id"
done < rpm-revocations.txt
```

If any of the entries do not end with `is not installed`, those packages need to be removed.

```shellscript
sudo rpm -e "$id"
```

#### Yum Verification

First, ensure yum is configured to enforce GPG signing:

```bash
sudo vi /etc/yum.conf
```

Ensure the main block contains:

```viml
[main]
gpgcheck=1
localpkg_gpgcheck=1
```

Finally, attempt to install the package. If the package is signed with a valid signature, this should succeed.

```bash
sudo yum install observiq-otel-collector_<VERSION>_linux_<ARCH>.rpm
```

#### Dnf Verification

First, ensure dnf is configured to enforce GPG signing:

```bash
sudo vi /etc/dnf/dnf.conf
```

Ensure the main block contains:

```viml
[main]
gpgcheck=1
localpkg_gpgcheck=1
```

Finally, attempt to install the package. If the package is signed with a valid signature, this should succeed.<br>

```bash
sudo dnf install observiq-otel-collector_<VERSION>_linux_<ARCH>.rpm
```

#### Manual Verification

Manual verification is simple:

```shellscript
sudo rpm --checksig -v observiq-otel-collector_<VERSION>_linux_<ARCH>.rpm
```

Ensure all four lines end with `OK`.