OpenStack Tutorial: Verifying RPM or Debian packages from the Platform9 installer
This tutorial is for those who wish to verify the authenticity of RPM or Debian packages included in the self-extracting installers.
Step 1 – Download and import the Platform9 Systems GPG key
The Platform9 Systems public GPG key can be downloaded on the cloud platform service at https://[Your cloud platform hostname]/private/GPG-Platform9-Systems or from the link on the “Add KVM Hosts” page under Infrastructure:
The key needs to be imported into your system’s package manager.
For RPM-based distributions such as Redhat, CentOS, and Fedora:
[code lang=”bash”]sudo rpm –import GPG-Platform9-Systems[/code]For Apt-based distributions such as Debian and Ubuntu:
[code lang=”bash”]sudo apt-key add GPG-Platform9-Systems[/code]Step 2 – Extract the files from the Platform9 installer
In a terminal window, run the installer for your platform with the –extract option. This will extract all packages inside the installer and not proceed with self-installation.
Redhat/CentOS:
[code lang=”bash”]sudo bash platform9-install-redhat.sh –extract[/code]Debian/Ubuntu:
[code lang=”bash”]sudo bash platform9-install-debian.sh –extract[/code]Step 3 – Verify the extracted packages
The installer will provide a temporary directory containing the extracted packages. From the terminal, change into that directory and use your system’s package manager to verify the tools.
For RPM packages, the command and resulting output should be similar to this:
[code lang=”bash”]$ rpm –checksig *.rpmpf9-comms-1.4.0-200.8626a9f.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
pf9-hostagent.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
pf9-vmw-mgmt-1.0.0-101.x86_64.rpm: rsa sha1 (md5) pgp md5 OK[/code]
Our .deb packages are signed through debsigs. To verify a package, a policy file and keychain has to be created for our public key. Copy the following and paste it into a file named pf9-install-debsigs-policy.sh that resides in the same directory as the public key you downloaded:
[bash linenum=”false”]#!/bin/shusage() {
echo “Usage: $0
exit 1
}
[ -d “$1” ] && usage
apt-get install debsigs debsig-verify
KEYID=$(gpg –keyid-format long –list-packets “$1” | grep ‘:signature packet:’ | head -n 1 | awk ‘{print $6}’)
if [ ! $? -eq 0 ]; then
echo “Keyid extraction failed for $1”
exit 1
fi
echo “Key ID: $KEYID”
echo “Creating debsig keyring and policy directories…”
mkdir -p /etc/debsig/policies/”${KEYID}”/ /usr/share/debsig/keyrings/”${KEYID}”/
echo “Importing public key…”
gpg –no-default-keyring –keyring /usr/share/debsig/keyrings/”${KEYID}”/debsig.gpg –import “$1”
echo “Creating debsig policy for public key…”
cat >/etc/debsig/policies/”${KEYID}”/debsig.pol <
EOS[/bash]
After creating pf9-install-debsigs-policy.sh, run the following commands:
[code lang=”bash”]$ chmod +x pf9-install-debsigs-policy.sh$ sudo ./pf9-install-debsigs-policy.sh GPG-Platform9-Systems[/code]
Debsig-verify should now be able to verify the packages:
[code lang=”bash”]$ sudo debsig-verify *.deb[/code]