Verifying Authenticity of RPM or Debian packages from Platform9 Installer
This tutorial is for those who wish to verify the authenticity of RPM or Debian packages included in the self-extracting installers.
Step 1 - Download and import the Platform9 Systems GPG key
The Platform9 Systems public GPG key can be downloaded on the cloud platform service at https://[Your cloud platform hostname]/private/GPG-Platform9-Systems or from the link on the "Add KVM Hosts" page under Infrastructure:
The key needs to be imported into your system's package manager.
For RPM-based distributions such as Redhat, CentOS, and Fedora:
For Apt-based distributions such as Debian and Ubuntu:
Step 2 - Extract the files from the Platform9 installer
In a terminal window, run the installer for your platform with the --extract option. This will extract all packages inside the installer and not proceed with self-installation.
Step 3 - Verify the extracted packages
The installer will provide a temporary directory containing the extracted packages. From the terminal, change into that directory and use your system's package manager to verify the tools.
For RPM packages, the command and resulting output should be similar to this:
Our .deb packages are signed through debsigs. To verify a package, a policy file and keychain has to be created for our public key. Copy the following and paste it into a file named pf9-install-debsigs-policy.sh that resides in the same directory as the public key you downloaded:
After creating pf9-install-debsigs-policy.sh, run the following commands:
Debsig-verify should now be able to verify the packages: