Package signing

Signing packages adds a extra level of trustworthiness towards a product. PowerVC ships both RPM packages and Debian packages with its installer.

Listed below are the approaches followed to GPG sign the RPM and repo for Debian packages.
  • All individual RPMS shipped as part of PowerVC installer are signed with a private GPG key. During PowerVC installation, the signature on RPMs gets verified with the help of a public key provided as part of the installer. This verification happens via the temporary repository which the installer creates to install RPMS. We have enabled gpgcheck option.
  • In case of Debian packages, the repository containing the Debian packages is signed as a whole. The signature verification of this repository happens during installation when the command apt-get update is run.

Administrators can validate the RPM-GPG-KEY-PUBLIC shipped as part of PowerVC installer here, Verify RPM-GPG-KEY-PUBLIC key.