Package signing
Signing packages adds a extra level of trustworthiness towards a product. PowerVC ships both RPM packages and Debian packages with its installer.
Listed below are the approaches followed to GPG sign the RPM and repo for Debian packages.
- All individual RPMS shipped as part of PowerVC installer are signed with a private GPG key. During PowerVC installation, the signature on RPMs gets verified with the help of a public
key provided as part of the installer. This verification happens via the temporary repository which
the installer creates to install RPMS. We have enabled
gpgcheck
option. - In case of Debian packages, the repository containing the Debian packages is signed as a whole.
The signature verification of this repository happens during installation when the command
apt-get update
is run.
Administrators can validate the RPM-GPG-KEY-PUBLIC shipped as part of PowerVC installer here, Verify RPM-GPG-KEY-PUBLIC key.