OSG Release Signing Information¶
Verifying OSG's RPMs¶
We use a GPG key to sign our software packages. Normally yum
and rpm
transparently use the GPG signatures to verify the packages have not been corrupted and were created by us. You get our GPG public key when you install the osg-release
RPM.
If you wish to verify one of our RPMs manually, you can run:
$ rpm --checksig -v <NAME.RPM>
For example:
$ rpm --checksig -v globus-core-8.0-2.osg.x86_64.rpm
globus-core-8.0-2.osg.x86_64.rpm:
Header V3 DSA signature: OK, key ID 824b8603
Header SHA1 digest: OK (2b5af4348c548c27f10e2e47e1ec80500c4f85d7)
MD5 digest: OK (d11503a229a1a0e02262034efe0f7e46)
V3 DSA signature: OK, key ID 824b8603
The OSG Packaging Signing Keys¶
The OSG Software Team has two GPG keys for signing RPMs; the first key is used for packages before the 3.6 release series, and the second key is used for packages in the 3.6 release series and afterward.
Key 1 (3.0 to 3.5) | |
---|---|
Location | /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG |
Download | UW-Madison, GitHub |
Fingerprint | 6459 !D9D2 AAA9 AB67 A251 FB44 2110 !B1C8 824B 8603 |
Key ID | 824b8603 |
Key 2 (3.6 and on) | |
---|---|
Location | /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG-2 |
Download | UW-Madison, GitHub |
Fingerprint | 1216 FF68 897A 77EA 222F C961 27DC 6864 96D2 B90F |
Key ID | 96d2b90f |
Note
Some packages in the 3.6 repos may still be signed with the old key;
the osg-release
RPM contains both keys so you can verify old packages.
You can see the fingerprint for yourself. On EL 7 and older (GnuPG < 2.1.13):
$ gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG
pub 1024D/824B8603 2011-09-15 OSG Software Team (RPM Signing Key for Koji Packages) <[email protected]>
Key fingerprint = 6459 D9D2 AAA9 AB67 A251 FB44 2110 B1C8 824B 8603
sub 2048g/28E5857C 2011-09-15
$ gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG-2
pub 4096R/96D2B90F 2021-02-24 Open Science Grid Software <[email protected]>
Key fingerprint = 1216 FF68 897A 77EA 222F C961 27DC 6864 96D2 B90F
sub 4096R/49E9ACC2 2021-02-24
On EL 8 and newer (GnuPG >= 2.1.13):
$ gpg --import-options show-only --import < /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG
pub dsa1024 2011-09-15 [SC]
6459D9D2AAA9AB67A251FB442110B1C8824B8603
uid OSG Software Team (RPM Signing Key for Koji Packages) <[email protected]>
sub elg2048 2011-09-15 [E]
$ gpg --import-options show-only --import < /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG-2
pub rsa4096 2021-02-24 [SC]
1216FF68897A77EA222FC96127DC686496D2B90F
uid Open Science Grid Software <[email protected]>
sub rsa4096 2021-02-24 [E]