Installer Package Verification
This document explains the steps required to verify the authenticity of the RPM or Debian packages included in the PMO installer. All packages that are bundled as part of the PMO installer are signed by Platform9 with every new release of PMO. Some organizations require validation of package authenticity after every upgrade of PMO as part of their security policies. This article describes the process to do this.
Step 1 - Download and import the Platform9 public GPG key
There are two ways to download the Platform9 public GPG for your PMO cloud.
- Navigate to https://<my-company-pmo-FQDN>/private/GPG-Platform9-Systems
For example, if your PMO account url (FQDN) is mycompany.platform9.net your URL path to download the GPG key would be https://mycompany.platform9.net/private/GPG-Platform9-Systems
- In the PMO UI navigate to Infrastructure > Add Hosts page. Search for public GPG key on this page or look at the section titled Package Signing
The key needs to be imported into your linux system's package manager.
For RPM-based distributions such as RedHat and CentOS:
sudo rpm --import GPG-Platform9-SystemsFor Apt-based distributions such as Debian and Ubuntu:
sudo apt-key add GPG-Platform9-SystemsStep 2 - Extract the files from the Platform9 installer
In a terminal window, run the installer specific to your linux platform with the –extract option. This option will extract all packages inside the installer.
For Redhat/CentOS run:
sudo bash platform9-install-redhat.sh --extractFor Debian/Ubuntu run:
sudo bash platform9-install-debian.sh --extractStep 3 - Verify the extracted packages
The installer will create a temporary directory with the extracted packages. From the terminal, change into that directory and use your linux system’s package manager to verify the tools.
For RPM packages, the command and resulting output should be similar to this:
$ rpm --checksig *.rpm pf9-comms-1.4.0-200.8626a9f.x86_64.rpm: rsa sha1 (md5) pgp md5 OK pf9-hostagent.x86_64.rpm: rsa sha1 (md5) pgp md5 OK pf9-vmw-mgmt-1.0.0-101.x86_64.rpm: rsa sha1 (md5) pgp md5 OKPMO .deb packages are signed through debsigs. To verify a package, a policy file and keychain has to be created for the PMO public key. Copy the following and paste it into a file named pf9-install-debsigs-policy.sh that resides in the same directory as the public key you downloaded:
usage() { echo "Usage: ${0} <gpg key file>" exit 1}# Show usage information if no file is specified[ -z "$1" ] && usage# Exit if file is a directory[ -d "$1" ] && usageapt install -y debsigs debsig-verifyKEYID=$(gpg --keyid-format long --list-packets "$1" | grep ':signature packet:' | head -n 1 | awk '{print $6}')if [ ! $? -eq 0 ]; then echo "Key ID extraction failed for $1" exit 1fiecho "Key ID: ${KEYID}"echo "Creating debsig keyring and policy directories..."mkdir -p /etc/debsig/policies/"${KEYID}"/ /usr/share/debsig/keyrings/"${KEYID}"/echo "Importing public key..."gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/"${KEYID}"/debsig.gpg --import "$1"echo "Creating debsig policy for public key..."cat > /etc/debsig/policies/"${KEYID}"/debsig.pol <<EOS<version="1.0"><policy xmlns="http://www.debian.org/debsig/1.0/"> <origin name="pf9" id="${KEYID}" description="Platform9 Systems"></origin><selection> <required type="origin" file="debsig.gpg" id="${KEYID}"></required> </selection> <verification minoptional="0"> <required type="origin" file="debsig.gpg" id="${KEYID}"></required> </verification></policy>EOSAfter creating pf9-install-debsigs-policy.sh, run the following commands:
chmod +x pf9-install-debsigs-policy.sh sudo ./pf9-install-debsigs-policy.sh GPG-Platform9-SystemsDebsig-verify should now be able to verify the packages:
$ sudo debsig-verify *.deb