Package verification v6.0.2¶
This section outlines the process of package verification for both Debian-based and Red Hat-based systems. It covers the different key types used for signing packages and how to import them for verification.
Package Signing Keys¶
Quantum Origin use two different Private keys to sign all .deb and .rpm packages. And these packages can be verified using following public keys
QO_GPG_VERIFYING_KEYis the main key used to sign all.debpackages and.rpmpackages for all operating systems except Red Hat 8 and AlmaLinux 8.-----BEGIN PGP PUBLIC KEY BLOCK----- mDMEZ0Ry9xYJKwYBBAHaRw8BAQdADh17kEVl/aQlV4RWEL0LvDX7pQotfCvxi+0f DycrA2i0QFF1YW50aW51dW0gQ3liZXJzZWN1cml0eSBQYWNrYWdlIFNpZ25pbmcg PG9yaWdpbkBxdWFudGludXVtLmNvbT6IkwQTFgoAOxYhBOrPp7vZcs3ejf3NZFyu TffcukYNBQJnRHL3AhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEFyu TffcukYNLhoBANVFjkAahA51vGI1ZZdx1wk41HNv9Q2nyCdXdh/gaLZgAP0dh0ZU 8hwQU9nbuYqfmhDebLDR8Jc9Kuto9vO7SfB/Cg== =GmWv -----END PGP PUBLIC KEY BLOCK-----
QO_GPG_VERIFYING_RSA_KEYis specifically used to sign.rpmpackages for Red Hat 8 and AlmaLinux 8, as these systems do not support PGP key verification for RPMs.-----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBGeaV0ABEADDPqRJbNX8gZNwR1PdjbEfsqnqfZAHqYd+96JOKHoxSAAp84kn 82urC6sKDX1q7e6bPS8WFK5zAz7T0AtS0RZGRqJ3qftvvDIcFstMi0w8ZzgeebH+ uoBj5EpKwDOMJ5SVklJGeOExrU0GScsw7GbyO/Fhr6RcJSiCzfIjMXgW7MJOPOuV R+GyG4eXPV2MJImsja1jNnvcFJn3OZWsbLFiGqSrG+p9UylUSZIaZKKkx9JukPpS afuNrUYw5SUpKqhR9IrZJax8DbRa7JjiXZcYk0fzZLFt2V1f1srvPZcpDobcwJWR n3AFefIG1gAZHHG6hjdo/fAmpRUh8ejal5u1Ry9AbLMgVf83pyUa3iTTMh4DiiNR iuxd/tB2/ZL7I0sehXVozBpC0yJizvw0qrv19tbDCJsfd34Ec+w3/vT4K6b6HDHH 2d8G7CPzZ/Pw8BqKPomROvTA2VDJvnt548c4XtKL6eV0uNrh6T/skDKPIwtBva7T FClRhSu+gpaqpFcC11hT1Rp9b68L+lIxKtyEtYnt/vVLA+Xe0b2+OKDAwenYMyWA YqFVw+5PHht+4YiR/ttg48l5rswBRX18eTdtYOIWBi/u6VpfYom4qwvONH0uDowv BEFqzOIOWzHs2Iun5tl9NbPM35UvEp6nMDgOsRQ0qBpDnP994eZVq+YM8wARAQAB zUBRdWFudGludXVtIEN5YmVyc2VjdXJpdHkgUGFja2FnZSBTaWduaW5nIDxvcmln aW5AcXVhbnRpbnV1bS5jb20+wsFcBBABCAAGBQJnmldAAAoJEHZpw15f+AYMuk4P /2r2sD3fAir6nPlGN7pD7yFT40sBeh8ziv08MppEIqseGC1aU0pZppEBbDT2iLPt DHdzcKwCmqT93U7ZTUntF2YB8tf8TQULoe63GRjQXhTTgyV1jwkOnP4shw+fjQNT Tvkd+QOZ//KVlxghSFL9tsD8zzPnRvxGltlowP+ZC3OtBDi2E6uu10rYvgPQ1Otk V6shqclhFqw4lC+dKHPQ2T41K8u17SWAPwTl3JG60J65XGmPlL6xwYenDP68SpcR jPsHB2kd0iO6xAmd97QN8QAI8pWpLnlCR9nDSdjDmmT/hKomBaWhO3nP0Wuf0rMk VOl0sG4kRNUN71AAJDIjIZeDFwRfVGETeY4OsP/lTkypAhXp5VysFVBDU0XMLNfN TJmhQFkGv56HDp9h6a0xkWNNO5d2EiUYZOG8RUv13PlM6ZTu1VMrfMFdBHJ0X3OF 3bjCs5oAIO8yTLugYghPjKMD3aFo9DFC2JvVqpNqYS8efUoTp1SdER4FlHpp66kV eCCPQreLdQfdcwqpcaJ+qt5/2MDOXktPSyUENz2AeWYf5bPaHKNrqUjbLKu/0cTA Jy7kxuHccz3nQ4F+Kx15GPQHfc91Mix4YkkkTCfdfoESottzubzFbU8J09CNWC3y MOjwoVEv18+E5d/XgfvYmZP8/iwEZ8cf62NtxAhd/4a/ =qhUD -----END PGP PUBLIC KEY BLOCK-----
Debian Package Verification Setup¶
- For Debian-based systems, the
qo-debsig-policy.shscript is used to set up the PGP public key and the debsig verification policy. PGP_KEY=$(cat <<EOF -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEZ0Ry9xYJKwYBBAHaRw8BAQdADh17kEVl/aQlV4RWEL0LvDX7pQotfCvxi+0f DycrA2i0QFF1YW50aW51dW0gQ3liZXJzZWN1cml0eSBQYWNrYWdlIFNpZ25pbmcg PG9yaWdpbkBxdWFudGludXVtLmNvbT6IkwQTFgoAOxYhBOrPp7vZcs3ejf3NZFyu TffcukYNBQJnRHL3AhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEFyu TffcukYNLhoBANVFjkAahA51vGI1ZZdx1wk41HNv9Q2nyCdXdh/gaLZgAP0dh0ZU 8hwQU9nbuYqfmhDebLDR8Jc9Kuto9vO7SfB/Cg== =GmWv -----END PGP PUBLIC KEY BLOCK----- EOF ) POLICY=$(cat <<EOF <?xml version="1.0"?> <!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd"> <Policy xmlns="https://www.debian.org/debsig/1.0/"> <!-- This is mainly a sanity check, since our filename is that of the ID anyway. --> <Origin Name="Quantum Origin" id="5CAE4DF7DCBA460D" Description="Quantum Origin Package Signing"/> <!-- This is required to match in order for this policy to be used. We reject the release Type, since we want a different rule set for that. --> <Selection> <Required Type="origin" File="debsig.gpg" id="5CAE4DF7DCBA460D"/> </Selection> <!-- Once we decide to use this policy, this must pass in order to verify the package. --> <Verification MinOptional="0"> <Required Type="origin" File="debsig.gpg" id="5CAE4DF7DCBA460D"/> </Verification> </Policy> EOF ) CMD="" if [ "$(id -u)" != "0" ]; then CMD="sudo" fi set -x ${CMD} mkdir -p /usr/share/debsig/keyrings/5CAE4DF7DCBA460D/ ${CMD} touch /usr/share/debsig/keyrings/5CAE4DF7DCBA460D/debsig.gpg ${CMD} mkdir -p /etc/debsig/policies/5CAE4DF7DCBA460D set +x echo "Importing QO public key..." echo -n "$PGP_KEY" |${CMD} gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/5CAE4DF7DCBA460D/debsig.gpg --import echo "Importing QO debsig-verify policy..." echo -n "$POLICY" |${CMD} tee /etc/debsig/policies/5CAE4DF7DCBA460D/debsig-verify.pol >/dev/null echo "Done"
To execute the script, run it with superuser privileges (e.g., using sudo):
./qo-debsig-policy.sh
Debian Package Verification¶
debsig-verify is needed to verify signature of deb packages. This may require manual installation.
debsig-verify <deb package path>
RPM Package Verification Setup¶
For Red Hat and AlmaLinux systems, packages are signed with one of the above public key. To verify, first download the correct key(s) into the RPM package manager’s keyring.
Note: Importing keys to the keyring requires superuser privileges.
$ rpm --import QO_GPG_VERIFYING_KEY.gpg
$ rpm --import QO_GPG_VERIFYING_RSA_KEY.pem
RPM Package Verification¶
rpm -K <rpm package path> | grep -q 'signatures OK' && echo "rpm signature verified" || (echo 'rpm signature verification failed' && exit 1)