Verifying detached signatures for content uploaded to the Customer Portal

Updated -

Middleware signs its content using detached OpenPGP signatures. These signatures, along with the content, are made available on the Customer Portal. Because the verification of the signature is not automatic, a manual process has been established to allow customers to validate the code prior to installing.

Prerequisites

  • Ensure the gpg package is installed.
  • The file and its detached signature (.asc) file, file2.zip and file2.zip.asc in the example below.
  • The public key of the package signing key pair used to sign the package. Middleware uses the 0x199E2F91FD431D51 OpenPGP key for this. You may also obtain this key using wget:
wget https://www.redhat.com/security/data/fd431d51.txt

Important - Always obtain the latest release key using a secure channel. For example, use wget and be sure certificate verification is enabled. Certificate verification is enabled by default as of Wget 1.10.

Procedure

  1. Using gpg, create a temporary keyring to use for the verification.

    $>gpg --no-default-keyring --keyring ./temp.keyring --import fd431d51.txt
    gpg: Signature made Mon 18 Jun 2018 21:44:49 AEST using RSA key ID FD431D51
    gpg: Good signature from "Red Hat, Inc. (release key 2) <security@redhat.com>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    
  2. Using gpg, verify the .zip file using the .asc file, which contains the detached signature, and the temporary keyring created in step 1.

    $>gpg --no-default-keyring --keyring ./temp.keyring --verify file2.zip.asc file2.zip
    gpg: assuming signed data in `file2.zip'
    gpg: Signature made Mon 18 Jun 2018 21:44:49 AEST using RSA key ID FD431D51
    gpg: Good signature from "Red Hat, Inc. (release key 2) <security@redhat.com>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 567E 347A D004 4ADE 55BA  8A5F 199E 2F91 FD43 1D51
    

Results

If the procedure succeeded, you will see gpg: Good signature from "Red Hat, Inc. (release key 2) <security@redhat.com> in the gpg output. A bad signature, or any other response, means that the signature verification failed and the file being verified should not be used.

If your file fails the verification process, remove the file and redownload it. If the new file also fails the verification process please contact Red Hat Support immediately.

Table of Contents

No