This tutorial is for those who wish to verify the authenticity of RPM or Debian packages included in the self-extracting installers. Step 1 - Download and import the Platform9 Systems GPG key The Platform9 Systems public GPG key can be downloaded on the cloud platform service at https://[Your cloud platform hostname]/private/GPG-Platform9-Systems or from the link on the “Add KVM Hosts” page under Infrastructure: gpglin

The key needs to be imported into your system’s package manager. For RPM-based distributions such as Redhat, CentOS, and Fedora:

sudo rpm --import GPG-Platform9-Systems

For Apt-based distributions such as Debian and Ubuntu:

sudo apt-key add GPG-Platform9-Systems

Step 2 - Extract the files from the Platform9 installer

In a terminal window, run the installer for your platform with the –extract option. This will extract all packages inside the installer and not proceed with self-installation. Redhat/CentOS:

sudo bash platform9-install-redhat.sh --extract

Debian/Ubuntu:

sudo bash platform9-install-debian.sh --extract

Step 3 - Verify the extracted packages The installer will provide a temporary directory containing the extracted packages. From the terminal, change into that directory and use your system’s package manager to verify the tools. For RPM packages, the command and resulting output should be similar to this:

$ rpm --checksig *.rpm
pf9-comms-1.4.0-200.8626a9f.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
pf9-hostagent.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
pf9-vmw-mgmt-1.0.0-101.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

Our .deb packages are signed through debsigs. To verify a package, a policy file and keychain has to be created for our public key.  Copy the following and paste it into a file named pf9-install-debsigs-policy.sh that resides in the same directory as the public key you downloaded:

#!/bin/sh

usage() {
  echo "Usage: ${0} <gpg key file>"
  exit 1
}

# Show usage information if no file is specified
[ -z "$1" ] && usage

# Exit if file is a directory
[ -d "$1" ] && usage

apt install -y debsigs debsig-verify

KEYID=$(gpg --keyid-format long --list-packets "$1" | grep ':signature packet:' | head -n 1 | awk '{print $6}')

if [ ! $? -eq 0 ]; then
  echo "Key ID extraction failed for $1"
  exit 1
fi

echo "Key ID: ${KEYID}"
echo "Creating debsig keyring and policy directories..."
mkdir -p /etc/debsig/policies/"${KEYID}"/ /usr/share/debsig/keyrings/"${KEYID}"/

echo "Importing public key..."
gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/"${KEYID}"/debsig.gpg --import "$1"

echo "Creating debsig policy for public key..."

cat > /etc/debsig/policies/"${KEYID}"/debsig.pol <<EOS
<version="1.0">
<policy xmlns="http://www.debian.org/debsig/1.0/">
  <origin name="pf9" id="${KEYID}" description="Platform9 Systems"></origin>
<selection>
    <required type="origin" file="debsig.gpg" id="${KEYID}"></required>
  </selection>
  <verification minoptional="0">
    <required type="origin" file="debsig.gpg" id="${KEYID}"></required>
  </verification>
</policy>
EOS

After creating pf9-install-debsigs-policy.sh, run the following commands:

$ chmod +x pf9-install-debsigs-policy.sh
$ sudo ./pf9-install-debsigs-policy.sh GPG-Platform9-Systems

Debsig-verify should now be able to verify the packages:

$ sudo debsig-verify *.deb