Document updated on Mar 11, 2019
Verifying packages (PGP and SHA256)
How to make sure what you are downloading is legit.
PGP
We will check the detached signature PGP against our package KrakenD.
Term
$gpg --verify krakend_2.7.2_amd64_generic-linux.tar.gz.asc krakend_2.7.2_amd64_generic-linux.tar.gz
gpg: Signature made Sun Mar 10 18:17:18 2019 UTC using RSA key ID 5DE6FD698AD6FDD2
gpg: Can't check signature: public key not found
We don’t have the packager public key (AB39BEA1) in our system. You need to retrieve the public key from a key server.
Term
$gpg --keyserver keyserver.ubuntu.com --recv-key 5DE6FD698AD6FDD2 gpg: requesting key 5DE6FD698AD6FDD2 from hkp server keyserver.ubuntu.com gpg: trustdb created gpg: key 5DE6FD698AD6FDD2: public key "Devops Faith Package Manager <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Now you can verify the signature of the package:
Term
$gpg --verify krakend_2.7.2_amd64_generic-linux.tar.gz.asc krakend_2.7.2_amd64_generic-linux.tar.gz gpg: Signature made Sun Mar 10 18:17:18 2019 UTC using RSA key ID 5DE6FD698AD6FDD2 gpg: Good signature from "Devops Faith Package Manager <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 5B27 0F2E 01E3 75FD 9D56 35E2 5DE6 FD69 8AD6 FDD2
SHA256
To make sure the binary downloaded matches our SHA256 ensure the next 2 commands produce the same SHA output.
Term
$shasum -a 256 -b krakend_2.7.2_amd64_generic-linux.tar.gz
Compare it to:
Term
$curl https://download.krakend.io/bin/krakend_2.7.2_amd64_generic-linux.tar.gz.sha256