Skip to main content
Package Signature Verification for Druva Cloud Platform
Updated over 4 months ago

Overview

Package signature verification ensures the integrity and authenticity of Linux binaries. The verification process protects you from maliciously modified or altered packages and also helps you confirm a downloaded package's integrity even before installing it..

Package signature verification

Druva signs Linux packages with a private key. To verify the integrity of these packages, you can use the public key available on the Downloads Page.


📝 Note
Package signature verification is optional but recommended.


To verify the package signature, you can use GNU Privacy Guard (GPG), a free software implementation of the OpenPGP standard for data encryption and signing.

Druva packages are signed with a GPG key with the following fingerprint:

5484 5406 BCB6 BB5E 9BD7 B5D2 4DB5 6527 A03A F36D

Workflow for package signature verification

Following are the steps involved in verifying a package signature:

  1. Import Druva's public key to your local GPG keyring.

  2. Verify the signature of the package.

  3. Proceed with installation if the signature is valid.

The exact commands would vary depending on your Linux distribution.

Prerequisites

You need the gpg utility, which most Linux distributions bundle.

Validate .deb package signature

You can validate .deb package signature with the following commands:

  1. Install the Debian Package Archive Signature Verification( dpkg-sig ) tool as follows:
    apt-get install dpkg-sig

  2. Import Druva's GPG public key to the local GPG keyring:
    gpg --import gpg-sign-pub-key.pub

  3. Verify the signature:
    dpkg-sig -c Druva-package-name.deb

If the verification is successful, you will see the following message:
GOODSIG _gpgorigin

Validate .rpm package signature

You can validate .rpm package signature with the following commands:

  1. Install the RPM Package Manager, if required, as follows:
    apt-get install rpm

  2. Import Druva’s GPG public key to the local GPG keyring:
    rpm --import gpg-sign-pub-key.pub

  3. Verify the signature:
    rpm --checksig Druva-package-name.rpm

If the verification is successful, you will see the following message:

digests signatures OK

Did this answer your question?