Verifying RPM or Debian packages from the Platform9 installer

This tutorial is for those who wish to verify the authenticity of RPM or Debian packages included in the self-extracting installers.

Step 1 - Download and import the Platform9 Systems GPG key

The Platform9 Systems public GPG key can be downloaded on the cloud platform service at https://[Your cloud platform hostname]/private/GPG-Platform9-Systems or from the link on the "Add KVM Hosts" page under Infrastructure:

gpglink

The key needs to be imported into your system's package manager.

For RPM-based distributions such as Redhat, CentOS, and Fedora:

sudo rpm --import GPG-Platform9-Systems

For Apt-based distributions such as Debian and Ubuntu:

sudo apt-key add GPG-Platform9-Systems

Step 2 - Extract the files from the Platform9 installer

In a terminal window, run the installer for your platform with the --extract option. This will extract all packages inside the installer and not proceed with self-installation.

Redhat/CentOS:

sudo bash platform9-install-redhat.sh --extract

Debian/Ubuntu:

sudo bash platform9-install-debian.sh --extract

Step 3 - Verify the extracted packages

The installer will provide a temporary directory containing the extracted packages. From the terminal, change into that directory and use your system's package manager to verify the tools.

For RPM packages, the command and resulting output should be similar to this:

$ rpm --checksig *.rpm
pf9-comms-1.4.0-200.8626a9f.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
pf9-hostagent.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
pf9-vmw-mgmt-1.0.0-101.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

Our .deb packages are signed through debsigs. To verify a package, a policy file and keychain has to be created for our public key.  Copy the following and paste it into a file named pf9-install-debsigs-policy.sh that resides in the same directory as the public key you downloaded:

#!/bin/sh
usage() {
  echo "Usage: $0 <gpg key="" file="">"
  exit 1
}
[ "x$1" = "x" ] &amp;&amp; usage
[ -d "$1" ] &amp;&amp; usage
apt-get install debsigs debsig-verify
KEYID=$(gpg --keyid-format long --list-packets "$1" | grep ':signature packet:' | head -n 1 | awk '{print $6}')
if [ ! $? -eq 0 ]; then
  echo "Keyid extraction failed for $1"
  exit 1
fi
echo "Key ID: $KEYID"
echo "Creating debsig keyring and policy directories..."
mkdir -p /etc/debsig/policies/"${KEYID}"/ /usr/share/debsig/keyrings/"${KEYID}"/
echo "Importing public key..."
gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/"${KEYID}"/debsig.gpg --import "$1"
echo "Creating debsig policy for public key..."
cat >/etc/debsig/policies/"${KEYID}"/debsig.pol <<eos version="1.0">
<policy xmlns="http://www.debian.org/debsig/1.0/">
  <origin name="pf9" id="${KEYID}" description="Platform9 Systems"></origin>
<selection>
    <required type="origin" file="debsig.gpg" id="${KEYID}"></required>
  </selection>
  <verification minoptional="0">
    <required type="origin" file="debsig.gpg" id="${KEYID}"></required>
  </verification>
</policy>
EOS

After creating pf9-install-debsigs-policy.sh, run the following commands:

$ chmod +x pf9-install-debsigs-policy.sh
$ sudo ./pf9-install-debsigs-policy.sh GPG-Platform9-Systems

Debsig-verify should now be able to verify the packages:

$ sudo debsig-verify *.deb

 


December 30, 2015