All packages shipped by (Undefined variable: General.vendor) come with a signature. Signature verification depends on the platform:
-
MacOS packages are signed by an Apple developer certificate.
-
Linux, FreeBSD, AIX, Solaris and HP-UX packages are signed with a PGP key.
You can find the public key at pgp.mit.edu and at keyserver.ubuntu.com.
To fetch the public key, use its id:
gpg --keyserver <keyserver> --recv C5C4EC20AFB5B8E678085F81B161CD624417450C
You can also find the same public key in the oneidentity_pgpkey.pub file. To import it, use the following command:
gpg --import oneidentity_pgpkey.pub
To verify package signature
-
Download the public key.
-
Verify the files.
-
For platforms with separate .sig file signatures, use gpg2:
gpg --verify <file>.sig <file>
-
For rpm packages, import the public key into the rpm's database:
gpg --export -a "C5C4EC20AFB5B8E678085F81B161CD624417450C" >pubkey
rpm --import pubkey
And verify with:
rpm --checksig --verbose <file>
-
For debian packages, use debsig-verify.
-