7.5
9.0 7.5
Docs menu
MENU

Verifying Downloadable Checksums and Images

Using the listed GPG keys, you can verify both the downloadable images of Virtuozzo products and their checksums. You can do so even without adding any keys to your keyring. Typically you may want to perform the following steps:

  1. Download the GPG key. For example:

    1

    # wget https://docs.virtuozzo.com/keys/VIRTUOZZO_GPG_KEY
    If you already have this key on your machine and want to verify it against the downloaded key, make sure keys’ fingerprints match. To display a key fingerprint, run gpg --quiet --with-fingerprint <key>.

  2. Dearmor the downloaded key:

    1

    # gpg -o VIRTUOZZO_GPG_KEY.dearm --dearmor VIRTUOZZO_GPG_KEY

  3. Download the MD5 and SHA256 checksums for the image, the image itself, and their PGP signatures. For example:

    1
2
3

    # wget http://repo.virtuozzo.com/vz/releases/7.0/x86_64/iso/{md5sum,md5sum.asc}
# wget http://repo.virtuozzo.com/vz/releases/7.0/x86_64/iso/{sha256sum,sha256sum.asc}
# wget http://repo.virtuozzo.com/vz/releases/7.0/x86_64/iso/{vz-iso-7.0.5.iso,vz-iso-7.0.5.iso.asc}

  4. Verify the downloaded MD5 and SHA256 checksums against their PGP signatures. For example:

    1
2
3
4
5
6
7

    # gpg --no-default-keyring --keyring ./VIRTUOZZO_GPG_KEY.dearm --verify md5sum.asc md5sum
gpg: Signature made Wed 02 Aug 2017 03:46:34 PM MSK using RSA key ID 44CDAD2A
gpg: Good signature from "Virtuozzo Team (GPG key signature for packages) <security@virtuozzo.com>"

# gpg --no-default-keyring --keyring ./VIRTUOZZO_GPG_KEY.dearm --verify sha256sum.asc sha256sum
gpg: Signature made Wed 02 Aug 2017 03:46:40 PM MSK using RSA key ID 44CDAD2A
gpg: Good signature from "Virtuozzo Team (GPG key signature for packages) <security@virtuozzo.com>"

  5. Verify the image against its PGP signature and its MD5 and SHA256 checksums against the ones you downloaded. For example:

    1
2
3

    # gpg --no-default-keyring --keyring ./VIRTUOZZO_GPG_KEY.dearm --verify vz-iso-7.0.5.iso.asc vz-iso-7.0.5.iso
gpg: Signature made Wed 02 Aug 2017 01:42:07 PM MSK using RSA key ID 44CDAD2A
gpg: Good signature from "Virtuozzo Team (GPG key signature for packages) <security@virtuozzo.com>"

If you see a warning like WARNING: This key is not certified with a trusted signature!, you may need to set key trust level. To do this, run gpg --no-default-keyring --keyring ./VIRTUOZZO_GPG_KEY.dearm --edit-key Virtuozzo, enter trust, and set the trust level.