Stacklet Subscription Repository Signature And Verification

Files placed in the subscriber repository are signed using GnuPG. This signature can be used to prove that a file originated with Stacklet and has not been modified.

To import Stacklet's public key to your local keyring:
% gpg --keyserver pgp.mit.edu -v --recv-keys B48CC47F

Note that the above key has an RSA subkey 10CAAA74 that we actually use for signing.


Using GnuPG, verifying a file's signature would look like this:
% gpg --verify centos.5-4.x86.20091105.img.tar.bz2.sig
gpg: Signature made Fri 14 May 2010 04:05:20 PM EDT using RSA key ID 10CAAA74
gpg: Good signature from "Stacklet (Subscription Repository) "


You may see a warning as follows if there is no trust path to Stacklet's key:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.


You can sign the key yourself to bypass the above message:
% gpg --sign-key B48CC47F


© 2010-2013 Stacklet LLC - Privacy