Release Verification
Release archives are published on GitHub Releases.
Each release includes platform archives, a SHA256SUMS checksum file, and a detached PGP signature
(.sig).
Only the SHA256SUMS file is signed. The archives themselves are not signed, but are hashed. To
verify the integrity of a particular archive:
- Download the archive,
SHA256SUMS, andSHA256SUMS.sigfiles from the release. - Verify the
SHA256SUMSfile is properly signed. - Verify the checksum in the file matches the archive.
PGP Public Key¶
Note
Applies to all releases signed by Broadcom after the project transferred from HashiCorp. This includes v2.0.0 and later.
| Attribute | Details |
|---|---|
| Key Name | Packer Plugins by Broadcom |
oss-packer-plugins.pdl@broadcom.com |
|
| Fingerprint | 35A7 8567 9DBC D9EC 5380 63E5 1417 BA83 3615 A23D |
| Key ID | 3615A23D |
| Long Key ID | 1417BA833615A23D |
The public key can be obtained from keys.openpgp.org.
Example¶
The following example verifies a release archive.
Substitute VERSION, OS, and ARCH for the target release.
# Set the release target and derived paths.
FINGERPRINT=35A785679DBCD9EC538063E51417BA833615A23D
VERSION=2.0.0
OS=linux
ARCH=amd64
BASE_URL="https://github.com/vmware/packer-plugin-vmware/releases/download/v${VERSION}"
PREFIX="packer-plugin-vmware_v${VERSION}"
ARCHIVE="${PREFIX}_x5.0_${OS}_${ARCH}.zip"
CHECKSUMS="${PREFIX}_SHA256SUMS"
CHECKSUMS_SIG="${CHECKSUMS}.sig"
# Import the public key.
gpg --keyserver keys.openpgp.org --recv-keys "${FINGERPRINT}"
# Download the archive and signature files.
curl -LO "${BASE_URL}/${ARCHIVE}"
curl -LO "${BASE_URL}/${CHECKSUMS}"
curl -LO "${BASE_URL}/${CHECKSUMS_SIG}"
# Verify the signature file is untampered.
gpg --verify "${CHECKSUMS_SIG}" "${CHECKSUMS}"
# Verify the checksum matches the archive.
shasum -a 256 -c "${CHECKSUMS}" --ignore-missing
Expected Output¶
A successful signature verification reports a good signature:
gpg: Good signature from "Packer Plugins by Broadcom <oss-packer-plugins.pdl@broadcom.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Note
The trust warning is normal for a freshly imported key. It means GPG cannot confirm the key
owner's identity through its web of trust, not that the signature failed. As long as you
imported the key using the fingerprint above and the output reports Good signature, the
checksum file is authentic.
A successful checksum verification ends with the following structure:
Mark the Key as Trusted (Optional)¶
To trust the key for future verifications, confirm the fingerprint and set a local trust level:
FINGERPRINT=35A785679DBCD9EC538063E51417BA833615A23D
gpg --fingerprint "${FINGERPRINT}"
gpg --edit-key "${FINGERPRINT}"
At the gpg> prompt, run trust, choose 4 (I trust fully), confirm with y, then run quit.