Public PGP/GPG Key

This is the public PGP/GPG Key that can be used to verify the Cloudamize signature:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF93TR8BEADhChQYDAYYZavW9APOj4bdDyfv8JrNxly5C0jx3dAe16L7kM/r
H1YUcwl6q7nSdrcqLllL9DWX8ZqNQXrQGdXF68TV/8H8ArKxzDgkQR61pVCNeGIQ
p+TGGODvLHFlORRSrFv8vNHZ9z0v1KNDkguGHpP6t0s1i9gh1fYuEd9EWzFiq8Lp
ee9lpShYgCM1Tz7LxUgmLL2JTznIgN+yxYWlJ55bzshVGdo6DnG+u+NS7zO0oWPv
r68//Sd02CvxKP3ZfEmIpOM/ZydgEjGM4XXMgjbllF41+Yfaf+Kg99JNBGWmONXu
6ywhD8BPxAjG6vU8LFn8k+eKL6l8d1GEhCtiXOADtn896rUiRoPc0ehcIdhHMvPd
zBpQaXOhOt3h2tO2ewqf2ZxgZYidxS8ErnQKABhHRTWB486eALUGj3BssmaBF0gB
YKZYViqGVAJ80oLByN78fXVMRNCfpgqK7uGgCuWh88HAtMeSy1E+WWFyrGoMqqa2
ZpLxjQY+FoOJv45643tTcJKGtRm9g2R0Ihx0ilsK8XrWdkYQN4RftdLZFc4hk8MI
bFu1jZd55TaT2IKUFJAxcTNdkda49v8uVhY7lJKTNkgmNXFjZMkp95wzRA+e3nTT
0JlfHcv8afSm8EgzlMs7DCnVnmgz+ajbZRTWLoHQNTQZwFpQivIdAQCdBQARAQAB
tCNDbG91ZGFtaXplIDxzdXBwb3J0QGNsb3VkYW1pemUuY29tPokCTgQTAQgAOBYh
BJIvpKfmCnuq65Cng7UsL+1RFs+8BQJfd00fAhsDBQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJELUsL+1RFs+86HQQALhVFBAJ/K8L5Va9s1UkamsXuZ1EFg6hxUpJ
wiyUpzZq3pwVnLlHyFpv2LhrEO4lRLuc3MNUxBLSmEfJEzrqnj+LR8AtJT212alP
3xS8998SHGQIYaZ6nRHNZLoTC5OVi1oHPb4qT+dh9Rqo4maub4k7X/FO7/ShJlIy
/EAAVkam0N2EludhiGjsNUVRaMsirnrkyI/eJlpwsFvAp5jNFaRTh1pLGZtgE7jz
iqrLAg034yHJ09nxsLNnt+6u3E60xGfCAPtLBN/LPbqepospGJeNjgIYLnz6zAZi
lcsK7/PhXRukZNvHuX5jtNFxrSBHLywuPcW0Nzk+UoiZeCzJpoDci9C1OnVxObm4
eIx9Mran6QQiN4spjXsJ0j7dmSNb7KbR5gP46uOsVXxXnlJoYpVXVW8X393b88Er
YNswlAPG3lBzgCk2tsUmFSNLnadAFTh1hfJqfSBLB29+N2V8O2/0d2gOz9xp7YDR
jznumXdRiowxzxGxh1m43cnTcVYByfnRdqDHXzdATok0qATnH/opDLe+eNmeeYS1
5Ww6VXO/W9lp0rZdLkuiKhlbUKqprmSEHdpPFG/0JqdbUuOonDKZBdhmIKTbbf5B
nM09U+yfhCdbBMD63LHMOLPjw3nU36pyV19LNU7GcLLZveeEUc1fil+4BxaQvuBK
zuyycDkOuQINBF93TR8BEADkx6ptJdQPFRMhWge/fyo22I9TuVps+mR88KxXmcD5
h+29YxiWutQfkySK82IzRu6iF0tPvaGJIp5BbEG4qQe8Ddk7EbmKT2+rXK5NVBRq
sUrt7vOFpY+Y5wLuIbX9YqpD4r1ftcH1SVwlfFit/q89fYzvlCFHscYGqO/ZuUuR
p8Nx2/lKpqL0XFO1USY36o0SA3GDKTh35sTsdMpsErTR5szpa1jStcitqwd6DKLh
lyBjqN1Qu6IZ5MzTLmCzaFYI2ioTeYSz6jREIy17nHvkVNJNxhRZx0Vmf8EEyzGv
AGbIeRMg9yX5Vs9p5yoDnsxAaoVRYWJf8j0nlQMd7adTf0EHZgYeGMpyjwtb6+iB
zk8IuXr3L5RDfD7KGCnQ+pvOUuXUZ/efrUqH4IX86DuDYDuUbBczOs7DPNw7NI+G
XQaVNUUsc6/Q4fUcn6tAlXfJ0tNLLP7MsR52fqG8WTtTq0xO6aI4Jip8kIFkN/7s
/gyuykx00lNO24C11JMnM8BCm+e3SyaOJDMG6I7OISVqykTx4TKPu4cO0d2NSJbb
8wi3Y2uo9QU1+uyyANL9NCzjh4RV3/JpcHuOuO4mVAElOoeWJgIc8khiL/4I0oPL
eZ62jDrwxWgoDfjfjhSUj8HUBtP0Nw0XJCGrcxFotmQx28lmr8FMFX7ONaqV/ABQ
FQARAQABiQI2BBgBCAAgFiEEki+kp+YKe6rrkKeDtSwv7VEWz7wFAl93TR8CGwwA
CgkQtSwv7VEWz7zIzQ/9HjTiZf/UxJbV5kqsyGh1btDWzOsjBZCc+yM5/3sKDld3
zONe7UdT9IDI/7VCeSOHeUvmX+HeljHRXZSKnA5qPhNIrPmLU/PLgNCLRaE0PPrS
Yp07LsWXZE8aYmLk2BMlq7ITDxsslp7IiDh1vaZRHl40vqaskQGnGObbNMMrGMY8
SMqJDlCmMPdH77VnTLFfx05UxGfOpMLr4oou+Z8Qi5uNlwX4cjBVuGehZFJ2vEn3
kbe/7/ZdicQ1ok05A1jIB7WgwtnE8CitSfB4NO3GLVMq/Y2mazK8vM/CpYvLTgu8
/27bb60BxQoqWlwAl6xMaCFRti8Q8H7tLUv1BXje+YFTu+3PHoliJ/y+crYNg3Qk
iHPgyizn/CTIjMZd5eCTooYXH6t2Ya+Sq4jT1fdTRhsMtVDkSsSBgx4gAlTTnvaK
YpvcCBUqmJ+o2TYsvFeoL2MMLT87vXb77w4BuJgQy1R0aaLfBKszKeN1tWmCeDSd
bVL4EfUWtAfZCV5mShF5ZksOQ9nSWs48zJMnyb30bEsWWV5yLR+en2GvRj7WbNV0
FdNN6n1DjRo/X3FnsEPvyECjmcjzq+mBzjblSKPTpsvs7Lao+JiRiZZVlMdcT9De
NqMu3cnE7dWTih8NEqC4nT/AzdB6w1xCwoaqmQF3uaQmjLAc2TP166Ts93tjYLk=
=d2hq
-----END PGP PUBLIC KEY BLOCK-----

RPM Packages

Adding the key

RPM uses its own key management and the key can be added via:

  1. rpm --import <key_file>

 

Verifying Package

Verifying the package was signed can be done as follows:

  1. [root@rhel ~]# rpm -K cloudamize_agent.rpm

  2. rpm: rsa sha1 (md5) pgp md5 OK

  3. [root@rhel ~]# rpm -q --qf '%{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p cloudamize_agent.rpm

  4. RSA/SHA1, Wed 29 Jan 2020 07:15:38 PM UTC, Key ID fd4e3a923f982b1f (not a blob)

A bad verification (key not trusted / imported) will look like:

  1. [root@rhel ~]# rpm -K cloudamize_agent.rpm

  2. rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#3f982b1f)

  3. [root@rhel ~]# rpm -q --qf '%{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p cloudamize_agent.rpm

  4. warning: cloudamize_agent.rpm: Header V3 RSA/SHA1 Signature, key ID 3f982b1f: NOKEY

  5. RSA/SHA1, Tue 23 Jun 2020 06:17:28 PM UTC, Key ID fd4e3a923f982b1f (none)

 

DEB Packages

DEB Packages are signed with “dpkg-sig”, not “debsign”. You cannot use debsig-verify to verify the package.

Adding the key

dpkg-sig uses the gpg keyring, so to successfully verify a package, the public key needs to be imported.

  1. gpg --import <pub-key-file>

 

Verifying Package

Verifying the signature is not automatic. There are two ways to verify. One is to use dpkg-sig:

  1. [root@9a111ec1b2f8 linux-agent]# dpkg-sig --verify cloudamize_agent.deb

  2. Processing cloudamize_agent.deb...

  3. GOODSIG _gpgbuilder 42C4433CD2C1A77270B43E4CFD4E3A923F982B1F 1580325339

You can also use gpg and ar:

  1. [root@9a111ec1b2f8 ~]# mkdir deb

  2. [root@9a111ec1b2f8 ~]# mv cloudamize_agent.deb deb/

  3. [root@9a111ec1b2f8 ~]# cd deb/

  4. [root@9a111ec1b2f8 deb]# ar x cloudamize_agent.deb

  5. [root@9a111ec1b2f8 deb]# ls

  6. deb control.tar.gz  data.tar.gz  debian-binary  _gpgbuilder

  7. [root@9a111ec1b2f8 deb]# gpg --verify _gpgbuilder

  8. gpg: Signature made Wed 29 Jan 2020 07:15:39 PM UTC using RSA key ID 3F982B1F

  9. gpg: Good signature from "Cloudamize <support@cloudamize.com>"

  10. gpg: WARNING: This key is not certified with a trusted signature!

  11. gpg: There is no indication that the signature belongs to the owner.

  12. Primary key fingerprint: 42C4 433C D2C1 A772 70B4 3E4C FD4E 3A92 3F98 2B1F

The warning means you do not currently have a certificate that trusts our signing certificate, which is to be expected.

A failed verification will look like:

  1. [root@9a111ec1b2f8 deb]# gpg --verify _gpgbuilder

  2. gpg: Signature made Tue 23 Jun 2020 06:17:30 PM UTC using RSA key ID 3F982B1F

  3. gpg: Can't check signature: public key not found