BDOT Collector Linux Package GPG Signing Verification

Preliminary Information

Signature verification is done automatically by the collector install script, but users who wish to use the Linux packages retrieved directly, without the install script, may wish to verify the signature on the packages independently.

GPG Verification Data

The data required to verify the signature can be downloaded using curl:

curl https://bdot.bindplane.com/${COLLECTOR_VERSION}/gpg-keys.tar.gz -o /tmp/bdot-gpg-keys.tar.gz
tar -xzf /tmp/bdot-gpg-keys.tar.gz -C "/tmp/gpg"

gpg-keys.tar.gz contains:

• bdot-public-gpg-key.asc: This is the key used to verify the signature on this version of the collector.

• deb-revocations/: This folder contains any historically revoked keys. These keys are included to prevent any software signed with a revoked key from successfully installing on a Debian system.

  • Currently, there are no revocations included.

• rpm-revocation.txt: This file contains a list of all RPM key IDs that correspond to revoked keys. These key IDs should all be erased from the RPM store to prevent software signed with a revoked key from being installed on an RPM system.

  • Currently, there are no entries in this file, since there are no revocations.

How to Verify

Debian

Apt Verification

Debian based systems with apt-get do not have a mechanism for enforcing gpg checks on locally installed packages.

Manual Verification

First, ensure that both gpg and ar are installed on the system.

command -v gpg
command -v ar

If either of these commands don't return anything, install the corresponding package using apt.

sudo apt-get update
# gpg
sudo apt-get install gpg
# ar
sudo apt-get install binutils

Import bdot-public-gpg-key.asc and any entries in deb-revocations/ to the GPG store.

gpg --import "bdot-public-gpg-key.asc"
if compgen -G "$TMP_DIR/gpg/deb-revocations/*" > /dev/null; then
  for key in "$TMP_DIR/gpg/deb-revocations/"*; do
    gpg --import "$key"
  done
fi

Then, extract _gpgorigin from the collector Debian package.

ar x  _gpgorigin observiq-otel-collector_<VERSION>_linux_<ARCH>.deb

Then, verify the signature.

ar p observiq-otel-collector_v1.88.0_linux_amd64.deb debian-binary control.tar.gz data.tar.gz | gpg --verify _gpgorigin -

If satisfied with the result (the key is not present, not expired, and not revoked), alter the trust level on the imported key to increase confidence in future signature verifications.

gpg --list-keys
# find the BDOT collector key, identify its fingerprint 
gpg --edit-key <FINGERPRINT>
gpg> trust
# select trust level
gpg> save

RPM

First, import bdot-public-gpg-key.asc using RPM.

sudo rpm --import "bdot-public-gpg-key.asc"

Ensure that the key is not expired.

Next, ensure that there are no entries in your RPM store that match an ID in rpm-revocations.txt

while IFS= read -r id; do
  sudo rpm -q "$id"
done < rpm-revocations.txt

If any of the entries do not end with is not installed, those packages need to be removed.

sudo rpm -e "$id"

Yum Verification

First, ensure yum is configured to enforce GPG signing:

sudo vi /etc/yum.conf

Ensure the main block contains:

[main]
gpgcheck=1
localpkg_gpgcheck=1

Finally, attempt to install the package. If the package is signed with a valid signature, this should succeed.

sudo yum install observiq-otel-collector_<VERSION>_linux_<ARCH>.rpm

Dnf Verification

First, ensure dnf is configured to enforce GPG signing:

sudo vi /etc/dnf/dnf.conf

Ensure the main block contains:

[main]
gpgcheck=1
localpkg_gpgcheck=1

Finally, attempt to install the package. If the package is signed with a valid signature, this should succeed.

sudo dnf install observiq-otel-collector_<VERSION>_linux_<ARCH>.rpm

Manual Verification

Manual verification is simple:

sudo rpm --checksig -v observiq-otel-collector_<VERSION>_linux_<ARCH>.rpm

Ensure all four lines end with OK.