To verify Nokia RPM-file GPG signatures

Purpose

The following steps describe how to verify that RPM files downloaded from Nokia are GPG-signed by Nokia.

Steps
 

Log in as the root user on a station that has no network connection to any station in a current or proposed NFM-P deployment.


Import the NSP GPG public key.

  1. Enter the following.

    rpm -qa | grep gpg-pubkey ↵

  2. Enter the following.

    sudo rpm --import nsp-rpm-signing-public-key.key ↵

  3. Enter the following.

    rpm -qa | grep gpg-pubkey ↵

    The public key is imported; the import is successful if a line like the following is displayed:

    gpg-pubkey-version-release


If you are performing the procedure on an NFM-P main server, import the td-agent and rockyofficial public keys.

  1. Enter the following.

    rpm -qa | grep gpg-pubkey ↵

  2. Enter the following.

    sudo rpm --import GPG-KEY-td-agent ↵

  3. Enter the following.

    sudo rpm --import RPM-GPG-KEY-rockyofficial ↵

  4. Enter the following.

    rpm -qa | grep gpg-pubkey ↵

    The public keys are imported; the import is successful if a line like the following is displayed:

    gpg-pubkey-version-release


Enter the following to verify that the imported GPG public key is from Nokia:

rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' ↵

Output like the following is displayed if the key is from Nokia:

gpg-pubkey-version-release --> gpg(Nokia Corporation (NOKIA-RPM-GPG-KEY) <portal.support@nokia.com>)


If the command output indicates a provider other than Nokia or other recognizable providers, contact technical support.


Record the version and release values.


Enter the following for each key:

rpm -qi gpg-pubkey-version-release

The GPG key information is displayed; the following is the Nokia GPG public key information:

Name        : gpg-pubkey

Version     : version

Release     : release

Architecture: (none)

Install Date: date time

Group       : Public Keys

Size        : 0

License     : pubkey

Signature   : (none)

Source RPM  : (none)

Build Date  : date time

Build Host  : localhost

Relocations : (not relocatable)

Packager    : Nokia Corporation (NOKIA-RPM-GPG-KEY) <portal.support@nokia.com>

Summary     : gpg(Nokia Corporation (NOKIA-RPM-GPG-KEY) <portal.support@nokia.com>)

Description :

-----BEGIN PGP PUBLIC KEY BLOCK-----

GSG public key information

-----END PGP PUBLIC KEY BLOCK-----


To verify an RPM-file signature using the GPG key, enter the following:

rpm -v -K RPM_file

where RPM_file is the absolute path of the RPM file to check

Signing information like the following is displayed.

RPM_file:

    Header V4 RSA/SHA1 Signature, key ID key_ID: OK

    Header SHA1 digest: OK (SHA1_message_digest)

    V4 RSA/SHA1 Signature, key ID key_ID: OK

    MD5 digest: OK (MD5_message_digest)

Signature   : (none)

rpm -qpi RPM_file

Name        : RPM-file

Epoch       : 0

Version     : R.r.0

Release     : rel.v

Architecture: x86_64

Install Date: (not installed)

Group       : Applications/Communications

Size        : file_size

License     : YYYY, Nokia

Signature   : RSA/SHA1, date time, Key ID key_ID

Source RPM  : RPM_file

Build Date  : data time

Build Host  : hostname

Relocations : (not relocatable)

Packager    : Nokia

Vendor      : Nokia

URL         : http://www.nokia.com

Summary     : content_descriptor

Description :


Review the information.

The Signature output is as shown above for a signed file; for an unsigned file, the Signature output is the following:

Signature   : (none)


10 

If the key ID matches the version recorded in Step 6 for the Nokia key, and the file is signed, the file is valid; otherwise, contact technical support.


11 

Close the console window.

End of steps