You are viewing a previous version of KrakenD Community Edition (v1.4), go to the
latest version
Document updated on Mar 11, 2019
Verifying packages (PGP and SHA256)
How to make sure what you are downloading is legit.
PGP
We will check the detached signature PGP against our package KrakenD.
$ gpg --verify krakend_1.4.1_amd64.tar.gz.asc krakend_1.4.1_amd64.tar.gz
gpg: Signature made Sun Mar 10 18:17:18 2019 UTC using RSA key ID 5DE6FD698AD6FDD2
gpg: Can't check signature: public key not found
We don’t have the packager public key (AB39BEA1) in our system. You need to retrieve the public key from a key server.
$ gpg --keyserver keyserver.ubuntu.com --recv-key 5DE6FD698AD6FDD2
gpg: requesting key 5DE6FD698AD6FDD2 from hkp server keyserver.ubuntu.com
gpg: trustdb created
gpg: key 5DE6FD698AD6FDD2: public key "Devops Faith Package Manager <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
Now you can verify the signature of the package:
$ gpg --verify krakend_1.4.1_amd64.tar.gz.asc krakend_1.4.1_amd64.tar.gz
gpg: Signature made Sun Mar 10 18:17:18 2019 UTC using RSA key ID 5DE6FD698AD6FDD2
gpg: Good signature from "Devops Faith Package Manager <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5B27 0F2E 01E3 75FD 9D56 35E2 5DE6 FD69 8AD6 FDD2
SHA256
To make sure the binary downloaded matches our SHA256 ensure the next 2 commands produce the same SHA output.
## Your downloaded file
$ shasum -a 256 -b krakend_1.4.1_amd64.tar.gz
## Our SHA256
$ curl https://repo.krakend.io/bin/krakend_1.4.1_amd64.tar.gz.sha256