Package Signing And Verification for Installer

This article explains the steps required to verify the authenticity of RPM or Debian packages included in the self-extracting installers.

Step 1 - Download and import the Platform9 Systems GPG key

The Platform9 Systems public GPG key can be downloaded on the cloud platform service at https://[Your cloud platform hostname]/private/GPG-Platform9-Systems or from the link on the Infrastructure>Add Hosts page.


The key needs to be imported into your system’s package manager.

For RPM-based distributions such as Redhat, CentOS, and Fedora:

sudo rpm --import GPG-Platform9-Systems

For Apt-based distributions such as Debian and Ubuntu:

sudo apt-key add GPG-Platform9-Systems

Step 2 - Extract the files from the Platform9 installer

In a terminal window, run the installer for your platform with the –extract option. This will extract all packages inside the installer and not proceed with self-installation.


sudo bash --extract


sudo bash --extract

Step 3 - Verify the extracted packages

The installer will provide a temporary directory containing the extracted packages. From the terminal, change into that directory and use your system’s package manager to verify the tools. For RPM packages, the command and resulting output should be similar to this:

$ rpm --checksig *.rpm
pf9-comms-1.4.0-200.8626a9f.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
pf9-hostagent.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
pf9-vmw-mgmt-1.0.0-101.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

Our .deb packages are signed through debsigs. To verify a package, a policy file and keychain has to be created for our public key. Copy the following and paste it into a file named that resides in the same directory as the public key you downloaded:


usage() {
  echo "Usage: ${0} <gpg key file>"
  exit 1

# Show usage information if no file is specified
[ -z "$1" ] && usage

# Exit if file is a directory
[ -d "$1" ] && usage

apt install -y debsigs debsig-verify

KEYID=$(gpg --keyid-format long --list-packets "$1" | grep ':signature packet:' | head -n 1 | awk '{print $6}')

if [ ! $? -eq 0 ]; then
  echo "Key ID extraction failed for $1"
  exit 1

echo "Key ID: ${KEYID}"
echo "Creating debsig keyring and policy directories..."
mkdir -p /etc/debsig/policies/"${KEYID}"/ /usr/share/debsig/keyrings/"${KEYID}"/

echo "Importing public key..."
gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/"${KEYID}"/debsig.gpg --import "$1"

echo "Creating debsig policy for public key..."

cat > /etc/debsig/policies/"${KEYID}"/debsig.pol <<EOS
<policy xmlns="">
  <origin name="pf9" id="${KEYID}" description="Platform9 Systems"></origin>
    <required type="origin" file="debsig.gpg" id="${KEYID}"></required>
  <verification minoptional="0">
    <required type="origin" file="debsig.gpg" id="${KEYID}"></required>

After creating, run the following commands:

chmod +x
sudo ./ GPG-Platform9-Systems

Debsig-verify should now be able to verify the packages:

$ sudo debsig-verify *.deb