OSG Release Signing Information¶
Verifying OSG's RPMs¶
We use a GPG key to sign our software packages. Normally yum and rpm transparently use the GPG signatures to verify the packages have not been corrupted and were created by us. You get our GPG public key when you install the osg-release RPM.
If you wish to verify one of our RPMs manually, you can run:
$ rpm --checksig -v <NAME.RPM>
For example:
$ rpm --checksig -v globus-core-8.0-2.osg.x86_64.rpm
globus-core-8.0-2.osg.x86_64.rpm:
Header V3 DSA signature: OK, key ID 824b8603
Header SHA1 digest: OK (2b5af4348c548c27f10e2e47e1ec80500c4f85d7)
MD5 digest: OK (d11503a229a1a0e02262034efe0f7e46)
V3 DSA signature: OK, key ID 824b8603
The OSG Packaging Signing Keys¶
The OSG Software Team has several GPG keys for signing RPMs; The key used depends on the OSG version and EL variant used, as documented below:
| Key 1 (3.0 to 3.5) | |
|---|---|
| Location | /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG |
| Download | UW-Madison, GitHub |
| Fingerprint | 6459 !D9D2 AAA9 AB67 A251 FB44 2110 !B1C8 824B 8603 |
| Key ID | 824b8603 |
| Key 2 (3.6 and on, EL <= 8) | |
|---|---|
| Location | /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG-2 |
| Download | UW-Madison, GitHub |
| Fingerprint | 1216 FF68 897A 77EA 222F C961 27DC 6864 96D2 B90F |
| Key ID | 96d2b90f |
| Key 4 (3.6 and on, EL >= 9) | |
|---|---|
| Location | /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG-4 |
| Download | GitHub |
| Fingerprint | B77E 70A6 0537 1D3B E109 A18E 3170 E150 1887 C61A |
| Key ID | 1887c61a |
| OSG 23 Automated Signing Key | |
|---|---|
| Location | /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG-23-auto |
| Download | GitHub |
| Fingerprint | E2AF 9F6E 239F D62B 5377 05C0 1760 EDF6 4D43 84D0 |
| Key ID | 4d4384d0 |
| OSG 23 Developer Signing Key | |
|---|---|
| Location | /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG-23-developer |
| Download | GitHub |
| Fingerprint | 4A56 C5BB CDB0 AAA2 DDE9 A690 BDEE E24C 9289 7C00 |
| Key ID | 92897c00 |
Note
Some packages in the 3.6 repos may still be signed with the old key;
the osg-release RPM contains both keys so you can verify old packages.
You can see the fingerprint for yourself. On EL 7 and older (GnuPG < 2.1.13):
$ gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG
pub 1024D/824B8603 2011-09-15 OSG Software Team (RPM Signing Key for Koji Packages) <[email protected]>
Key fingerprint = 6459 D9D2 AAA9 AB67 A251 FB44 2110 B1C8 824B 8603
sub 2048g/28E5857C 2011-09-15
$ gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG-2
pub 4096R/96D2B90F 2021-02-24 Open Science Grid Software <[email protected]>
Key fingerprint = 1216 FF68 897A 77EA 222F C961 27DC 6864 96D2 B90F
sub 4096R/49E9ACC2 2021-02-24
On EL 8 and newer (GnuPG >= 2.1.13):
$ gpg --import-options show-only --import < /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG
pub dsa1024 2011-09-15 [SC]
6459D9D2AAA9AB67A251FB442110B1C8824B8603
uid OSG Software Team (RPM Signing Key for Koji Packages) <[email protected]>
sub elg2048 2011-09-15 [E]
$ gpg --import-options show-only --import < /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG-2
pub rsa4096 2021-02-24 [SC]
1216FF68897A77EA222FC96127DC686496D2B90F
uid Open Science Grid Software <[email protected]>
sub rsa4096 2021-02-24 [E]
$ gpg --import-options show-only --import < /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG-4
pub rsa4096 2022-12-28 [SC]
B77E70A605371D3BE109A18E3170E1501887C61A
uid OSG Software 3.6 for EL9 RSA <[email protected]>
sub rsa4096 2022-12-28 [E]
$ gpg --import-options show-only --import < /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG-23-auto
pub rsa4096 2023-06-23 [SC]
E2AF9F6E239FD62B537705C01760EDF64D4384D0
uid OSG 23 Automated Signing Key <[email protected]>
sub rsa4096 2023-06-23 [E]
$ gpg --import-options show-only --import < /etc/pki/rpm-gpg/RPM-GPG-KEY-OSG-23-developer
pub rsa4096 2023-08-15 [SC]
4A56C5BBCDB0AAA2DDE9A690BDEEE24C92897C00
uid OSG 23 Developer Signing Key <[email protected]>
sub rsa4096 2023-08-15 [E]