Jump to: navigation, search

Verify Release Signature

Signing keys

Release tarballs are signed by our FreeIPA Master Signing Key.

 pub   rsa4096/0xF40800B6298EB963 2017-11-28 [SC]
       Key fingerprint = 0E63 D716 D76A C080 A4A3  3513 F408 00B6 298E B963
 uid                   [  full  ] FreeIPA Master Signing Key

Releases prior to 2017-11-29 were signed by the following key.

pub   rsa4096/0xA1FBA5F7EF8C4869 2016-12-07 [SC] [expires: 2018-01-10]
      Key fingerprint = 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869
uid                   [ultimate] Tomas Krizek <tkrizek@redhat.com>

Verifying signature

Make sure you have the keys above in your keyring.

$ gpg --keyserver pool.sks-keyservers.net --recv-keys 0xF40800B6298EB963 0xA1FBA5F7EF8C4869 

Download the release tarball and its signature file. You can verify the tarball with the following command.

$ gpg --verify freeipa-x.y.z.tar.gz{.asc,}
gpg: Signature made Fri 24 Mar 2017 09:41:35 AM CET
gpg:                using RSA key 0x22A2A94B5E49415A
gpg: Good signature from "Tomas Krizek <tkrizek@redhat.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869
     Subkey fingerprint: 9912 5D99 7004 02C4 A77C  715D 22A2 A94B 5E49 415A

Check that the primary key fingerprint is one of the developers' keys listed above.