Case Study Bloom Credit: Multi-Provider API Security with KrakenD

You are viewing a previous version of KrakenD Community Edition (v1.4), go to the latest version

Document updated on Mar 11, 2019

Verifying packages (PGP and SHA256)

How to make sure what you are downloading is legit.

PGP

We will check the detached signature PGP against our package KrakenD.

$ gpg --verify krakend_1.4.1_amd64.tar.gz.asc krakend_1.4.1_amd64.tar.gz
gpg: Signature made Sun Mar 10 18:17:18 2019 UTC using RSA key ID 5DE6FD698AD6FDD2
gpg: Can't check signature: public key not found

We don’t have the packager public key (AB39BEA1) in our system. You need to retrieve the public key from a key server.

$ gpg --keyserver keyserver.ubuntu.com --recv-key 5DE6FD698AD6FDD2
gpg: requesting key 5DE6FD698AD6FDD2 from hkp server keyserver.ubuntu.com
gpg: trustdb created
gpg: key 5DE6FD698AD6FDD2: public key "Devops Faith Package Manager <[email protected]>" imported
gpg: Total number processed: 1
gpg:							 imported: 1	(RSA: 1)

Now you can verify the signature of the package:

$ gpg --verify krakend_1.4.1_amd64.tar.gz.asc krakend_1.4.1_amd64.tar.gz
gpg: Signature made Sun Mar 10 18:17:18 2019 UTC using RSA key ID 5DE6FD698AD6FDD2
gpg: Good signature from "Devops Faith Package Manager <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:					There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5B27 0F2E 01E3 75FD 9D56  35E2 5DE6 FD69 8AD6 FDD2

SHA256

To make sure the binary downloaded matches our SHA256 ensure the next 2 commands produce the same SHA output.

## Your downloaded file
$ shasum -a 256 -b krakend_1.4.1_amd64.tar.gz
## Our SHA256
$ curl https://repo.krakend.io/bin/krakend_1.4.1_amd64.tar.gz.sha256
Scarf

Unresolved issues?

The documentation is only a piece of the help you can get! Whether you are looking for Open Source or Enterprise support, see more support channels that can help you.

See all support channels