The contents of this page will help you verify through GPG/RPM, the code
you received has been signed with digital private keys only held by HP . In
addition this ensures that the file has not been manipulated by a third party.
Download the keys Copy the compressed tar file
(HP-GPG-Public-Keys.tar.gz) from the link below to your local directory and
extract the public keys.
https://ftp.hp.com/pub/keys/HP-GPG-Public-Keys.tar.gz Import
the keys for RPM
Import the public keys one at a time while logged in as
root by running the following command:
# rpm --import
/path_to_the_key/file_name_of_the_key
example # rpm --import
/path_to_the_key/B1275EA3.pub
Import the keys for GPG
For each key that you have unzipped install the public key using
the --import flag of the gpg command:
# gpg --import /path_to_the_key/file_name_of_the_key
example # gpg --import
/path_to_the_key/B1275EA3.pub
Verify using RPM
Use the rpm --checksig command to validate
and verify the digital signature of the signed file. The output from the
command indicates the validity of the signature:
# rpm --checksig
filename_of_the_rpm
example result #
filename_of_the_rpm.rpm: sha1 md5 OK
If your file does not pass verification or you do not have the HP public key
installed, you may see an error:
# rpm --checksig sample_file.rpm
sample_file.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK
(MISSING KEYS: key#s)
In this case then do not install the rpm. This means the file has been
modified in some way since being released from HP.
Verify using GPG
Use the gpg --verify command to validate and
verify the digital signature of the signed file. The output from the command
indicates the validity of the signature. Specify the .sig (detached
signature)file and the corresponding input file in the command:
# gpg --verify filename.sig filename
If the level of trust on the key has not been set, you will see a trust level
warning similar to this:
gpg: WARNING: This key is not certified with a
trusted signature!
gpg: There is no indication that the signature
belongs to the owner.
Because you have downloaded the key from this site, and this site is SSL
secured by HP, you can ultimately trust that this public key is indeed from HP.
Therefore edit the key to set the trust level of the key for proper
verification.
First find the "key_name" of the key, type the command below and select the
key that you need to trust
# gpg --list-keys Example of
a "key_name" "Hewlett-Packard Company RSA (HP Codesigning
Service) - 1"
Edit the key
# gpg --edit-key "key_name"
Then type the command "trust", and select "5"
for trusting the key ultimately. Confirm and type quit to exit
Going forward, you should not see the warning about an untrusted identity
when verifying the signature. Example verification output is below:
# gpg --verify test.bin.sig test.bin gpg:
Signature made Thu 03 Jan 2013 04:48:47 PM UTC using RSA key ID
5CE2D476 gpg: Good signature from "Hewlett-Packard Company RSA (HP
Codesigning Service)"
|