Packages Signed with GPG-Enabled Keys

(From UIM 20.3.3) This release of UIM provides the .rpm and .deb packages that are signed with the GNU Privacy Guard (GPG)-enabled keys. With this enhanced security mechanism, the integrity of the packages is maintained. This helps you verify that the packages that you are using for installation are the same ones that you have downloaded from the Support site. You can, therefore, be assured that no modifications have occurred in the packages after they were signed, thereby providing the quality and security assurance of the delivered package.
The following illustration outlines the process:
The following topics provide the detailed information:
3
2
Supported RPM and DEB Packages
The following packages have been signed with the GPG-enabled keys:
  • nimsoft-robot.i386.rpm
  • nimsoft-robot.x86_64.rpm
  • nimsoft-robot+debian_amd64.deb
  • nimsoft-robot+ubuntu_amd64.deb
Note that the previous versions of these packages are not signed with the GPG-enabled keys.
Verify Prerequisites
Ensure that your environment meets the following requirements:
  • GPG version 2.2.4 (or later)
  • RPM version 4.0 (or later)
  • dpkg-sig (for Debian/Ubuntu binaries)
Verify the Signature of Signed RPM and DEB Packages
To verify the signature of the signed RPM and DEB packages, follow the appropriate procedure that is outlined in this section:
Verify the Signature of Signed RPM Packages
Before you install the packages, you can verify the signature of the packages to ensure that they have not been tampered with. To do so, you must import the GPG public key into the GPG keyring and RPM database, and then verify the signatures. 
Follow these steps:
  1. Verify that the signed .rpm packages and the GPG public key are available on your computer.
    Download the GPG public key file from the UIM Hotfix Index site.
  2. Use the following command to import the GPG public key into the GPG keyring:
    [[email protected] ~]# gpg --import GPG-KEY-UIM-001
    When you execute the command, you get the following response. Note that
    imported: 1
    in the command output signifies that the file has been imported successfully:
    gpg: key 8B4FDD0849C0B447: public key "uimbuild (UIM GPG signing key) <[email protected]>" import gpg: Total number processed: 1 gpg: imported: 1
  3. Use the following command to import the GPG public key into the RPM database:
    [[email protected] ~]# rpm --import GPG-KEY-UIM-001
    This command does not display any output on the screen. Therefore, you can use the following command to verify that the public key file has been imported:
    [[email protected] ~]# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
    When you execute this command, the following output is generated. Note that the segment
    uimbuild (UIM GPG Signing) <[email protected]>
    in the output shows that the public key file has been imported:
    gpg-pubkey-fd431d51-4ae0493b --> gpg(Red Hat, Inc. (release key 2) <[email protected]>) gpg-pubkey-2fa658e0-45700c69 --> gpg(Red Hat, Inc. (auxiliary key) <[email protected]>) gpg-pubkey-b74246ce-58d281c9 --> gpg(uimbuild (UIM GPG Signing) <[email protected]>)
  4. Use the following command to verify the signature:
    [[email protected] ~]# rpm -K nimsoft-robot.x86_64.rpm
    When you execute the command, you get the following response. This response shows that the signature has been verified successfully:
    nimsoft-robot.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
You have successfully verified the RPM packages.
Installing RPM Packages After Verification
Depending on your setup, you can then use the appropriate command to install the packages after they are verified:
  • If you want to manually (directly) install the package, you can use the following command:
    [[email protected] ~]# rpm -ivh nimsoft-robot.x86_64.rpm
    When you execute the command, you get the following response. The response shows the successful installation of the package:
    Preparing... ################################# [100%] Updating / installing... 1:nimsoft-robot-9.31-1 ################################# [100%]
  • If the RPM package is part of the repository, you can use the following command to install the package:
    [[email protected] ~]# yum install nimsoft-robot
    When you execute the command, the following output is generated. The output shows that the installation is successful:
    Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package nimsoft-robot.x86_64 0:9.31-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================ Package Arch Version Repository Size ============================================================================================================= Installing: nimsoft-robot x86_64 9.31-1 nimsoft-remote-repo 10 M Transaction Summary ============================================================================================================== Install 1 Package Total download size: 10 M Installed size: 64 M Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Warning: RPMDB altered outside of yum. Installing : nimsoft-robot-9.31-1.x86_64 1/1 Verifying : nimsoft-robot-9.31-1.x86_64 1/1 Installed: nimsoft-robot.x86_64 0:9.31-1 Complete!
Install RPM Packages without Verifying Signatures
If you do not want to verify the signatures of the signed RPM packages, you can proceed with the package installation without any verification. Depending on your setup, you can use the appropriate command to install the packages:
  • If you want to manually (directly) install the package, you can use the following command. When you execute this command, the output of the command displays a warning that the signature has not been verified. You can ignore that warning and continue with the installation:
    [[email protected] ~]# rpm -ivh nimsoft-robot.x86_64.rpm
    The following response first shows the warning message and then proceeds with the installation:
    warning: nimsoft-robot.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 49c0b447: NOKEY Preparing... ################################# [100%] Updating / installing... 1:nimsoft-robot-9.31-1 ################################# [100%]
  • If your package is part of the repository and you want to install from your repository, use the following command with the --nogpgcheck filter:
    [[email protected] ~]# yum install --nogpgcheck nimsoft-robot
    When you execute the command, you get the following response. Note that the package is installed successfully:
    Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package nimsoft-robot.x86_64 0:9.31-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================================== Package Arch Version Repository Size ========================================================================================================================================== Installing: nimsoft-robot x86_64 9.31-1 nimsoft-remote-repo 10 M Transaction Summary =========================================================================================================================================== Install 1 Package Total size: 10 M Installed size: 64 M Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Warning: RPMDB altered outside of yum. Installing : nimsoft-robot-9.31-1.x86_64 1/1 Verifying : nimsoft-robot-9.31-1.x86_64 1/1 Installed: nimsoft-robot.x86_64 0:9.31-1 Complete!
    If you do not use the --nogpgcheck filter, you are not allowed to proceed with the installation if the package signature is not verified. Note that the output displays a warning message and the installation does not proceed further:
    Resolving Dependencies --> Running transaction check ---> Package nimsoft-robot.x86_64 0:9.31-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================== Package Arch Version Repository Size ==================================================================================================================== Installing: nimsoft-robot x86_64 9.31-1 nimsoft-remote-repo 10 M Transaction Summary ===================================================================================================================== Install 1 Package Total download size: 10 M Installed size: 64 M Is this ok [y/d/N]: y Downloading packages: warning: /var/cache/yum/x86_64/7Server/nimsoft-remote-repo/packages/nimsoft-robot.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 4b4b47fd: NOKEY======================] 39 kB/s | 10 MB 00:00:00 ETA Public key for nimsoft-robot.x86_64.rpm is not installed nimsoft-robot.x86_64.rpm | 10 MB 00:07:23 Public key for nimsoft-robot.x86_64.rpm is not installed
Verify the Signature of Signed DEB Packages
Before you install the DEB packages, you can verify the signature of the packages to ensure that they have not been tampered with. To do so, import the GPG public key into the GPG keyring and APT database, and then verify the signature.
Follow these steps:
  1. Verify that the signed .deb packages and the GPG public key file are available on your computer.
    Download the GPG public key file from the UIM Hotfix Index site.
  2. Use the following command to import the GPG public key into the GPG keyring:
    [[email protected] ~]# gpg --import GPG-KEY-UIM-001
    When you execute the command, you get the following response. Note that
    imported: 1
    in the command output signifies that the file has been imported successfully:
    gpg: key 8B4FDD0849C0B447: public key "uimbuild (UIM GPG signing key) <[email protected]>" import gpg: Total number processed: 1 gpg:
    imported: 1
  3. Use the following command to import the GPG public key into the APT database:
    [[email protected] ~]# apt-key add GPG-KEY-UIM-001
    When you execute the command, you get the following response. Note that
    OK
    in the command output signifies that the file has been added successfully:
    OK
  4. Use the following command to verify the signature:
    [[email protected] ~]# dpkg-sig --verify nimsoft-robot+debian_amd64.deb
    When you execute the command, you get the following response. Note that
    GOODSIG
    in the command output signifies that the verification is successful:
    Processing nimsoft-robot+debian_amd64.deb...
    GOODSIG
    _gpgbuilder B16265877A80C8FB40327C4A681EFD1DE5124174 1523440651
You have successfully verified the signature.
Install DEB Packages After Verification
Depending on your setup, you can use the appropriate command to install the packages after they are verified:
  • If you want to manually (directly) install the package, you can use the following command:
    [[email protected] ~]# dpkg -i nimsoft-robot+ubuntu_amd64.deb
    When you execute the command, you get the following response. The response shows the package installation:
    Selecting previously unselected package nimsoft-robot. (Reading database ... 121866 files and directories currently installed.) Preparing to unpack nimsoft-robot+ubuntu_amd64.deb ... Unpacking nimsoft-robot (9.31) ... Setting up nimsoft-robot (9.31) ... Processing triggers for ureadahead (0.100.0-20) ...
  • If the DEB package is part of the repository, you can use the following command to install the package:
    [email protected]:~# apt-get install nimsoft-robot
    When you execute the command, the following output is generated. The output shows the installation:
    Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: grub-pc-bin Use 'apt autoremove' to remove it. The following NEW packages will be installed: nimsoft-robot 0 upgraded, 1 newly installed, 0 to remove and 99 not upgraded. Need to get 9051 kB of archives. After this operation, 12.3 MB of additional disk space will be used. Get:1 http://10.xx.xxx.xxx trusty/main amd64 nimsoft-robot amd64 9.20 [9051 kB] Fetched 9051 kB in 1s (17.5 MB/s) Selecting previously unselected package nimsoft-robot. (Reading database ... 123945 files and directories currently installed.) Preparing to unpack .../nimsoft-robot_9.20_amd64.deb ... Unpacking nimsoft-robot (9.20) ... Processing triggers for ureadahead (0.100.0-20) ... Processing triggers for systemd (237-3ubuntu10.38) ... Setting up nimsoft-robot (9.20) ... update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Install DEB Packages without Verifying Signatures
If you do not want to verify the signatures of the signed DEB packages, you can proceed with the package installation without any verification. Depending on your setup, you can use the appropriate command to install the package:
  • If you want to manually (directly) install the package, you can use the following command:
    [[email protected] ~]# dpkg -i nimsoft-robot+ubuntu_amd64.deb
    The following response shows the installation process:
    Selecting previously unselected package nimsoft-robot. (Reading database ... 121866 files and directories currently installed.) Preparing to unpack nimsoft-robot+ubuntu_amd64.deb ... Unpacking nimsoft-robot (9.31) ... Setting up nimsoft-robot (9.31) ... Processing triggers for ureadahead (0.100.0-20) ...
    This command was executed on the Ubuntu 8.04.2 LTS version. In that version, no specific warning that the signature of the package has not been verified is displayed.
  • If your package is part of the repository and you want to install from your repository, use the following command with the --allow-unauthenticated filter:
    [email protected]:~# apt-get --allow-unauthenticated install nimsoft-robot