Virtuozzo GPG Keys¶
1. Introduction¶
Packages of all Virtuozzo products are signed with GPG signatures that can be verified with the public keys listed below.
Keys obtained during installation of Virtuozzo products can be found in /etc/pki/rpm-gpg.
2. Virtuozzo 7, Virtuozzo Automator 7, and Virtuozzo PowerPanel Signing Key¶
Depending on product, this key is included in different packages with different filenames:
- In Virtuozzo 7, this key is included in the
virtuozzo-releasepackage with the filenameRPM-GPG-KEY-Virtuozzo-7. - In Virtuozzo Automator 7 Management Node component, this key is included in the
va-mn-releasepackage with the filenameRPM-GPG-KEY-Virtuozzo-Automator-MN-7. - In Virtuozzo Automator 7 Agent component, this key is included in the
va-agent-releasepackage with the filenameRPM-GPG-KEY-Virtuozzo-Automator-7. - In Virtuozzo PowerPanel, this key is included in the
pp-releasepackage with the filenameRPM-GPG-KEY-Virtuozzo-Power-Panel-2.
pub 1024R/44CDAD2A 2015-12-02 Virtuozzo Team (GPG key signature for packages) <security@virtuozzo.com>
Key fingerprint = C92B BB23 E3C3 1386 6694 D5F5 CA0B 7D19 44CD AD2A
sub 1024R/D334B409 2015-12-02
3. Virtuozzo Linux 7 Signing Key¶
This key is included in the vzlinux-release package with the filename VZLINUX_GPG_KEY.
pub 2048R/1812F4D9 2015-10-28 Virtuozzo Linux <vzlinux@support.virtuozzo.com>
Key fingerprint = E1D0 8ACC 8DCE F9A3 3E93 086F 458D 0BA0 1812 F4D9
sub 2048R/55DB800A 2015-10-28
4. Virtuozzo 6 Signing Key¶
This key is included in the parallels-server-bm-release package with the filename PARALLELS_GPG_KEY.
pub 1024D/2425C37E 2001-06-28 Parallels <support@parallels.com>
Key fingerprint = 5D32 18EC DFB7 3932 8A09 6316 20E7 DF6D 2425 C37E
sub 2048g/F3E5F88B 2001-06-28
5. Verifying Downloadable Checksums and Images¶
Using the listed GPG keys, you can verify both the downloadable images of Virtuozzo products and their checksums. You can do so even without adding any keys to your keyring. Typically you may want to perform the following steps:
Download the GPG key. For example:
# wget https://docs.virtuozzo.com/keys/VIRTUOZZO_GPG_KEY
Note
If you already have this key on your machine and want to verify it against the downloaded key, make sure keys’ fingerprints match. To display a key fingerprint, run
gpg --quiet --with-fingerprint <key>.Dearmor the downloaded key:
# gpg -o VIRTUOZZO_GPG_KEY.dearm --dearmor VIRTUOZZO_GPG_KEY
Download the MD5 and SHA256 checksums for the image, the image itself, and their PGP signatures. For example:
# wget http://repo.virtuozzo.com/vz/releases/7.0/x86_64/iso/{md5sum,md5sum.asc} # wget http://repo.virtuozzo.com/vz/releases/7.0/x86_64/iso/{sha256sum,sha256sum.asc} # wget http://repo.virtuozzo.com/vz/releases/7.0/x86_64/iso/{vz-iso-7.0.5.iso,vz-iso-7.0.5.iso.asc}Verify the downloaded MD5 and SHA256 checksums against their PGP signatures. For example:
# gpg --no-default-keyring --keyring ./VIRTUOZZO_GPG_KEY.dearm --verify md5sum.asc md5sum gpg: Signature made Wed 02 Aug 2017 03:46:34 PM MSK using RSA key ID 44CDAD2A gpg: Good signature from "Virtuozzo Team (GPG key signature for packages) <security@virtuozzo.com>"
# gpg --no-default-keyring --keyring ./VIRTUOZZO_GPG_KEY.dearm --verify sha256sum.asc sha256sum gpg: Signature made Wed 02 Aug 2017 03:46:40 PM MSK using RSA key ID 44CDAD2A gpg: Good signature from "Virtuozzo Team (GPG key signature for packages) <security@virtuozzo.com>"
Verify the image against its PGP signature and its MD5 and SHA256 checksums against the ones you downloaded. For example:
# gpg --no-default-keyring --keyring ./VIRTUOZZO_GPG_KEY.dearm --verify vz-iso-7.0.5.iso.asc vz-iso-7.0.5.iso gpg: Signature made Wed 02 Aug 2017 01:42:07 PM MSK using RSA key ID 44CDAD2A gpg: Good signature from "Virtuozzo Team (GPG key signature for packages) <security@virtuozzo.com>"
If you see a warning like WARNING: This key is not certified with a trusted signature!, you may need to set key trust level. To do this, run gpg --no-default-keyring --keyring ./VIRTUOZZO_GPG_KEY.dearm --edit-key Virtuozzo, enter trust, and set the trust level.