PricingSign inRequest a Demo

Linux Package GPG Signing Verification

This document describes how to verify the GPG signature on the BDOT Collector's Linux packages.

The BDOT Collector's Linux packages are signed with a GPG key starting with version v1.88.1.

Preliminary Information

Signature verification is done automatically by the collector install script, but users who wish to use the Linux packages retrieved directly, without the install script, may wish to verify the signature on the packages independently.

GPG Verification Data

The data required to verify the signature can be downloaded using curl:

curl https://bdot.bindplane.com/${COLLECTOR_VERSION}/gpg-keys.tar.gz -o /tmp/bdot-gpg-keys.tar.gz
tar -xzf /tmp/bdot-gpg-keys.tar.gz -C "/tmp/gpg"

gpg-keys.tar.gz contains:

  • bdot-public-gpg-key.asc: This is the key used to verify the signature on this version of the collector.

  • deb-revocations/: This folder contains any historically revoked keys. These keys are included to prevent any software signed with a revoked key from successfully installing on a Debian system.

    • Currently, there are no revocations included.

  • rpm-revocation.txt: This file contains a list of all RPM key IDs that correspond to revoked keys. These key IDs should all be erased from the RPM store to prevent software signed with a revoked key from being installed on an RPM system.

    • Currently, there are no entries in this file, since there are no revocations.

How to Verify

Debian

Apt Verification

Debian based systems with apt-get do not have a mechanism for enforcing gpg checks on locally installed packages.

Manual Verification

First, ensure that both gpg and ar are installed on the system.

If either of these commands don't return anything, install the corresponding package using apt.

Import bdot-public-gpg-key.asc and any entries in deb-revocations/ to the GPG store.

Then, extract _gpgorigin from the collector Debian package.

Then, verify the signature.

If satisfied with the result (the key is not present, not expired, and not revoked), alter the trust level on the imported key to increase confidence in future signature verifications.

RPM

First, import bdot-public-gpg-key.asc using RPM.

Ensure that the key is not expired.

Next, ensure that there are no entries in your RPM store that match an ID in rpm-revocations.txt

If any of the entries do not end with is not installed, those packages need to be removed.

Yum Verification

First, ensure yum is configured to enforce GPG signing:

Ensure the main block contains:

Finally, attempt to install the package. If the package is signed with a valid signature, this should succeed.

Dnf Verification

First, ensure dnf is configured to enforce GPG signing:

Ensure the main block contains:

Finally, attempt to install the package. If the package is signed with a valid signature, this should succeed.

Manual Verification

Manual verification is simple:

Ensure all four lines end with OK.

PreviousInstall and Uninstall Bindplane CollectorsNextKubernetes

Last updated

Was this helpful?