Document updated on Mar 11, 2019
How to make sure what you are downloading is legit.
We will check the detached signature PGP against our package KrakenD.
$ gpg --verify krakend_1.3.0_amd64.tar.gz.asc krakend_1.3.0_amd64.tar.gz
gpg: Signature made Sun Mar 10 18:17:18 2019 UTC using RSA key ID 5DE6FD698AD6FDD2
gpg: Can't check signature: public key not found
We don’t have the packager public key (AB39BEA1) in our system. You need to retrieve the public key from a key server.
$ gpg --keyserver keyserver.ubuntu.com --recv-key 5DE6FD698AD6FDD2
gpg: requesting key 5DE6FD698AD6FDD2 from hkp server keyserver.ubuntu.com
gpg: trustdb created
gpg: key 5DE6FD698AD6FDD2: public key "Devops Faith Package Manager <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
Now you can verify the signature of the package:
$ gpg --verify krakend_1.3.0_amd64.tar.gz.asc krakend_1.3.0_amd64.tar.gz
gpg: Signature made Sun Mar 10 18:17:18 2019 UTC using RSA key ID 5DE6FD698AD6FDD2
gpg: Good signature from "Devops Faith Package Manager <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5B27 0F2E 01E3 75FD 9D56 35E2 5DE6 FD69 8AD6 FDD2
To make sure the binary downloaded matches our SHA256 ensure the next 2 commands produce the same SHA output.
## Your downloaded file
$ shasum -a 256 -b krakend_1.3.0_amd64.tar.gz
## Our SHA256
$ curl https://download.krakend.io/bin/krakend_1.3.0_amd64.tar.gz.sha256
The documentation is only a piece of the help you can get! Whether you are looking for Open Source or Enterprise support, see more support channels that can help you.