KB Article #187660

How can I validate the downloaded RPM installation file?

Problem

The Validation Authority 5.2 Administrator Guide says:


“The distributed installation file is digitally signed by the Axway generated GPG key and can be verified using the shipped GPG public key prior to installation.”


See Install VA Server on Linux


How can this be done?



Resolution

The distributed installation file is digitally signed by the Axway generated GPG key and can be verified prior to installing VA Server on Linux. In order to verify the RPM signature for versions prior to 5.2 UP202409, the GPG public key is available to download from https://axway.jfrog.io/artifactory/va-generic/1.0/AXWAYVA-RPM-GPG-KEY. In order to verify the signature for versions 5.2 UP202409 and later, the GPG public key is available at https://axway.jfrog.io/artifactory/va-generic/1.0/...


You can verify the RPM installation package following these steps


1) Check the rpm is signed using the query:


rpm -qip Validation_Authority_Server_5.2_UP202405_linux-x86-64_BN32748.rpm


 

warning: Validation_Authority_Server_5.2_UP202405_linux-x86-64_BN32748.rpm: Header V4 RSA/SHA1 Signature, key ID 335e9363: NOKEY
Name        : ValidationAuthority
Version     : 5.2Update202405
Release     : 32748.el7
Architecture: x86_64
Install Date: (not installed)
Group       : Axway-VA
Size        : 93065728
License     : © 2000-2022 AXWAY END USER LICENSE AND SERVICES AGREEMENT
Signature   : RSA/SHA1, Tue 28 May 2024 12:11:59 PM MST, Key ID bce03baf335e9363
Source RPM  : ValidationAuthority-5.2Update202405-32748.el7.src.rpm
Build Date  : Tue 28 May 2024 12:11:46 PM MST
Build Host  : swf-slave-3-rhel7.protected.lab.phx.axway.int
Relocations : (not relocatable)
Vendor      : Axway Inc.
Summary     : Axway Validation Authority Server installer
Description :
Axway Validation Authority Server is scalable, high-performance CA-neutral OCSP and SCVP server.


2) Verify signature


a) Verify failure when key is not installed:


rpm -Kv Validation_Authority_Server_5.2_UP202405_linux-x86-64_BN32748.rpm 


Validation_Authority_Server_5.2_UP202405_linux-x86-64_BN32748.rpm:
    Header V4 RSA/SHA1 Signature, key ID 335e9363: NOKEY
    Header SHA1 digest: OK
    V4 RSA/SHA1 Signature, key ID 335e9363: NOKEY
    MD5 digest: OK


b) Download the GPG key


c) Install the GPG key


rpm --import AXWAYVA-RPM-GPG-KEY.txt


d) Verify the signature with installed key


rpm -Kv Validation_Authority_Server_5.2_UP202405_linux-x86-64_BN32748.rpm 


Validation_Authority_Server_5.2_UP202405_linux-x86-64_BN32748.rpm:
    Header V4 RSA/SHA1 Signature, key ID 335e9363: OK
    Header SHA1 digest: OK
    V4 RSA/SHA1 Signature, key ID 335e9363: OK
    MD5 digest: OK

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.