Virtuozzo GPG Keys



1. Introduction

Packages of all Virtuozzo products are signed with GPG signatures that can be verified with the public keys listed below.

Keys obtained during installation of Virtuozzo products can be found in /etc/pki/rpm-gpg.

2. Virtuozzo 7, Virtuozzo Automator 7, and Virtuozzo PowerPanel Signing Key

Depending on product, this key is included in different packages with different filenames:

  • In Virtuozzo 7, this key is included in the virtuozzo-release package with the filename RPM-GPG-KEY-Virtuozzo-7.
  • In Virtuozzo Automator 7 Management Node component, this key is included in the va-mn-release package with the filename RPM-GPG-KEY-Virtuozzo-Automator-MN-7.
  • In Virtuozzo Automator 7 Agent component, this key is included in the va-agent-release package with the filename RPM-GPG-KEY-Virtuozzo-Automator-7.
  • In Virtuozzo PowerPanel, this key is included in the pp-release package with the filename RPM-GPG-KEY-Virtuozzo-Power-Panel-2.
pub  1024R/44CDAD2A 2015-12-02 Virtuozzo Team (GPG key signature for packages) <security@virtuozzo.com>
      Key fingerprint = C92B BB23 E3C3 1386 6694  D5F5 CA0B 7D19 44CD AD2A
sub  1024R/D334B409 2015-12-02

Download key

3. Virtuozzo Linux 7 Signing Key

This key is included in the vzlinux-release package with the filename VZLINUX_GPG_KEY.

pub  2048R/1812F4D9 2015-10-28 Virtuozzo Linux <vzlinux@support.virtuozzo.com>
      Key fingerprint = E1D0 8ACC 8DCE F9A3 3E93  086F 458D 0BA0 1812 F4D9
sub  2048R/55DB800A 2015-10-28

Download key

4. Virtuozzo 6 Signing Key

This key is included in the parallels-server-bm-release package with the filename PARALLELS_GPG_KEY.

pub  1024D/2425C37E 2001-06-28 Parallels <support@parallels.com>
      Key fingerprint = 5D32 18EC DFB7 3932 8A09  6316 20E7 DF6D 2425 C37E
sub  2048g/F3E5F88B 2001-06-28

Download key

5. Verifying Downloadable Checksums and Images

Using the listed GPG keys, you can verify both the downloadable images of Virtuozzo products and their checksums. You can do so even without adding any keys to your keyring. Typically you may want to perform the following steps:

  1. Download the GPG key. For example:

    # wget https://docs.virtuozzo.com/keys/VIRTUOZZO_GPG_KEY
    

    Note

    If you already have this key on your machine and want to verify it against the downloaded key, make sure keys’ fingerprints match. To display a key fingerprint, run gpg --quiet --with-fingerprint <key>.

  2. Dearmor the downloaded key:

    # gpg -o VIRTUOZZO_GPG_KEY.dearm --dearmor VIRTUOZZO_GPG_KEY
    
  3. Download the MD5 and SHA256 checksums for the image, the image itself, and their PGP signatures. For example:

    # wget http://repo.virtuozzo.com/vz/releases/7.0/x86_64/iso/{md5sum,md5sum.asc}
    # wget http://repo.virtuozzo.com/vz/releases/7.0/x86_64/iso/{sha256sum,sha256sum.asc}
    # wget http://repo.virtuozzo.com/vz/releases/7.0/x86_64/iso/{vz-iso-7.0.5.iso,vz-iso-7.0.5.iso.asc}
    
  4. Verify the downloaded MD5 and SHA256 checksums against their PGP signatures. For example:

    # gpg --no-default-keyring --keyring ./VIRTUOZZO_GPG_KEY.dearm --verify md5sum.asc md5sum
    gpg: Signature made Wed 02 Aug 2017 03:46:34 PM MSK using RSA key ID 44CDAD2A
    gpg: Good signature from "Virtuozzo Team (GPG key signature for packages) <security@virtuozzo.com>"
    
    # gpg --no-default-keyring --keyring ./VIRTUOZZO_GPG_KEY.dearm --verify sha256sum.asc sha256sum
    gpg: Signature made Wed 02 Aug 2017 03:46:40 PM MSK using RSA key ID 44CDAD2A
    gpg: Good signature from "Virtuozzo Team (GPG key signature for packages) <security@virtuozzo.com>"
    
  5. Verify the image against its PGP signature and its MD5 and SHA256 checksums against the ones you downloaded. For example:

    # gpg --no-default-keyring --keyring ./VIRTUOZZO_GPG_KEY.dearm --verify vz-iso-7.0.5.iso.asc vz-iso-7.0.5.iso
    gpg: Signature made Wed 02 Aug 2017 01:42:07 PM MSK using RSA key ID 44CDAD2A
    gpg: Good signature from "Virtuozzo Team (GPG key signature for packages) <security@virtuozzo.com>"
    

If you see a warning like WARNING: This key is not certified with a trusted signature!, you may need to set key trust level. To do this, run gpg --no-default-keyring --keyring ./VIRTUOZZO_GPG_KEY.dearm --edit-key Virtuozzo, enter trust, and set the trust level.