PMO Installer Package Verification

This article explains the steps required to verify the authenticity of RPM or Debian packages included in the PMO installer. All packages that are bundled as part of the PMO installer are signed by Platform9 with every new release of PMO. Some organizations require validation of package authenticity after every upgrade of PMO as part of their security policies. This article describes the process to do this.

Step 1 - Download and import the Platform9 Systems GPG key

There are two ways to download the Platform9 public GPG for your PMO cloud.

  • Navigate to https:///private/GPG-Platform9-Systems

For example, if your PMO account url (FQDN) is mycompany.platform9.net your URL path to download the GPG key would be https://mycompany.platform9.net/private/GPG-Platform9-Systems

  • In the PMO UI navigate to Infrastructure > Add Hosts page. Search for public GPG key on this page or look at the section titled Package Signing

The key needs to be imported into your linux system’s package manager.

For RPM-based distributions such as Redhat and CentOS:

sudo rpm --import GPG-Platform9-Systems

For Apt-based distributions such as Debian and Ubuntu:

sudo apt-key add GPG-Platform9-Systems

Step 2 - Extract the files from the Platform9 installer

In a terminal window, run the installer specific to your linux platform with the –extract option. This option will extract all packages inside the installer.

For Redhat/CentOS run:

sudo bash platform9-install-redhat.sh --extract

For Debian/Ubuntu run:

sudo bash platform9-install-debian.sh --extract

Step 3 - Verify the extracted packages

The installer will create a temporary directory with the extracted packages. From the terminal, change into that directory and use your linux system’s package manager to verify the tools.

For RPM packages, the command and resulting output should be similar to this:

$ rpm --checksig *.rpm
pf9-comms-1.4.0-200.8626a9f.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
pf9-hostagent.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
pf9-vmw-mgmt-1.0.0-101.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

PMO .deb packages are signed through debsigs. To verify a package, a policy file and keychain has to be created for the PMO public key. Copy the following and paste it into a file named pf9-install-debsigs-policy.sh that resides in the same directory as the public key you downloaded:

#!/bin/sh

usage() {
  echo "Usage: ${0} <gpg key file>"
  exit 1
}

# Show usage information if no file is specified
[ -z "$1" ] && usage

# Exit if file is a directory
[ -d "$1" ] && usage

apt install -y debsigs debsig-verify

KEYID=$(gpg --keyid-format long --list-packets "$1" | grep ':signature packet:' | head -n 1 | awk '{print $6}')

if [ ! $? -eq 0 ]; then
  echo "Key ID extraction failed for $1"
  exit 1
fi

echo "Key ID: ${KEYID}"
echo "Creating debsig keyring and policy directories..."
mkdir -p /etc/debsig/policies/"${KEYID}"/ /usr/share/debsig/keyrings/"${KEYID}"/

echo "Importing public key..."
gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/"${KEYID}"/debsig.gpg --import "$1"

echo "Creating debsig policy for public key..."

cat > /etc/debsig/policies/"${KEYID}"/debsig.pol <<EOS
<version="1.0">
<policy xmlns="http://www.debian.org/debsig/1.0/">
  <origin name="pf9" id="${KEYID}" description="Platform9 Systems"></origin>
<selection>
    <required type="origin" file="debsig.gpg" id="${KEYID}"></required>
  </selection>
  <verification minoptional="0">
    <required type="origin" file="debsig.gpg" id="${KEYID}"></required>
  </verification>
</policy>
EOS

After creating pf9-install-debsigs-policy.sh, run the following commands:

chmod +x pf9-install-debsigs-policy.sh
sudo ./pf9-install-debsigs-policy.sh GPG-Platform9-Systems

Debsig-verify should now be able to verify the packages:

$ sudo debsig-verify *.deb